This guide will provide detailed information about FastNetMon attack detection logic in blackhole mode.
FastNetMon checks all hosts against specified in hostgroup configuration threshold every second. When any your host crosses threshold, FastNetMon creates “traffic capture request”.
After capture request creation, FastNetMon will collect all traffic to specified host. By default, FastNetMon captures 500 (for mirror/SPAN mode) or 20 (for sFlow v5, Netflow, IPFIX) packets.
Also, you can change this value this way:
sudo fcli set main ban_details_records_count 5 sudo fcli commit
If you enable traffic buffer capability this step will be skipped and attack will be triggered immediately. In this case FastNetMon will retrieve attack’s sample from in-memory traffic buffer which stores packets and flows for last X seconds.
This sample will be used for script callbacks and email alerts.
If it cannot capture this amount of packets for 120 second (you cannot change this value) it removes “traffic capture request” as orphaned and removes it completely.
You can find such cases in log file /var/log/fastnetmon/fastnetmon.log:
[WARN] We've found orphaned bucket for IP: 10.251.23.1 [WARN] It has 3 parsed packets [WARN] And 3 raw packets [WARN] We will remove it
In this case, FastNetMon declares attack as false positive and does not apply any actions.
If you use sampled Netflow/IPFIX/sFlow v5 you can reduce this value to 2-3 packets or even set it to single packet. In this case, FastNetMon will block host almost immediately after receiving initial alert but it will increase FastNetMon’s sensitivity to undesirable level.