FastNetMon is a baseline / threshold based DDoS detection engine and it means that you need to set level of traffic which will be considered as attack by FastNetMon.
By default, FastNetMon has global hostgroup which keeps thresholds for all hosts in your network.
To set level of traffic which FastNetMon will consider as an attack we need to make some configuration adjustments.
As example we will trigger attack detection for hosts which are receiving more than 100 Mbps of incoming traffic:
sudo fcli set hostgroup global threshold_mbps 100 sudo fcli set hostgroup global ban_for_bandwidth enable sudo fcli commit
Then we need to enable attack detection action for all hosts in our network this way:
sudo fcli set hostgroup global enable_ban enable sudo fcli commit
After that we need to specify that we need attack detection only in incoming direction as DDoS is mostly coming from the outside.
sudo fcli set hostgroup global enable_ban_incoming enable sudo fcli commit
If you would like to configure attack detection in outgoing direction you will need to apply following commands:
sudo fcli set hostgroup global enable_ban_outgoing enable sudo fcli set main per_direction_hostgroup_thresholds enable sudo fcli set main do_not_ban_outgoing disable sudo fcli commit
And then set thresholds in outgoing direction too:
sudo fcli set hostgroup global threshold_mbps_outgoing 100 sudo fcli set hostgroup global ban_for_bandwidth_outgoing enable sudo fcli commit
FastNetMon has multiple pre-defined thresholds types and you can find all of them on this page. You can enable multiple thresholds in same time.
In addition to pre-defined thresholds you can create completely custom thresholds using arbitrary information about traffic from Layers 3 and 4 of OSI model using flexible thresholds capability.
For networks with multiple types of client’s traffic profiles you may prefer to set different thresholds for different groups of your networks. We call these per network thresholds configurations hostgroups and you may create any number of them using this guide.
To help you with threshold configuration we have tool which can proving baseline recommendations using your historical traffic data.