You can use FastNetMon Advanced with Radware Defense Flow as a DDoS sensor. In this case, FastNetMon can detect an attack and enable mitigation using Radware DefenseFlow and APSVision over API.
Capabilities
Integration tool supports two major notification modes:
- Per host attack alerts
- Per hostgroup attack alerts
- Full IPv6 support
- Baseline information
For per-host attack alerts, FastNetMon can pass the following information:
- Hostgroup – will be used as a protected object on the Defense Flow side
- Attack’s performance
- Attack’s protocol – UDP, TCP, ICMP or OTHER
- Attack’s source port
- Attack’s destination port
- Up to 50 source hosts (/32)
- Host affected by attack (/32)
For per-hostgroup attacks, we provide less information as FastNetMon does not capture a sample of the attack:
- Hostgroup – will be used as protected object on Defense Flow side
- Attack’s performance
- List of all networks which belong to the hostgroup
Configure DefenseFlow
As the first step, please create protected object in DefenseFlow. Make sure to specify the protected networks in the Protected Object.
Configure integration
For configuration, we use JSON format. Please create a configuration file in /etc/fastnetmon_radware.json with the following content:
{
"log_path":"/tmp/fastnetmon_radware_go_notify_script.log",
"vision_ip": "192.168.1.38",
"vision_username": "radware",
"vision_password": "radware",
"skip_ssl_verification": true,
"skip_source_networks": true,
"pass_baseline": false,
"clickhouse_host": "127.0.0.1",
"clickhouse_port": 9000,
"clickhouse_database": "fastnetmon",
"clickhouse_user": "default",
"clickhouse_password": ""
}
We have HA support for this integration, and it can be enabled in the following way:
"secondary_vision": true, "secondary_vision_ip": "11.11.11.11", "secondary_vision_username": "radware", "secondary_vision_password": "secret_password",
You can use fcli to manage the plugin’s configuration in the following way:
sudo fcli set plugin radware_defense_flow vision_ip 192.168.1.38 sudo fcli set plugin radware_defense_flow vision_username admin sudo fcli set plugin radware_defense_flow vision_password radware sudo fcli set plugin radware_defense_flow log_path /tmp/fastnetmon_radware_go_notify_script.log sudo fcli set plugin radware_defense_flow skip_source_networks enable sudo fcli set plugin radware_defense_flow skip_ssl_verification enable
Configure FastNetMon for per-host callbacks
Before enabling this integration, please be sure that you have configured hostgroups using our official guide.
To enable per-host callbacks, please specify the integration tool for FastNetMon:
sudo fcli set main notify_script_enabled enable sudo fcli set main notify_script_format json sudo fcli set main notify_script_path /opt/fastnetmon/libraries/radware_plugin/radware_notify_script sudo fcli commit
To confirm proper integration, please run the example ban:
sudo fcli set blackhole 11.22.33.44
To unban the host, please follow this process:
sudo fcli show blackhole
Then, please use UUID near the blocked host and unblock it:
sudo fcli delete blackhole 777f81c4-e352-4c69-a193-7a82ee429562 (please replace this UUID by real one)
Configure FastNetMon for per-hostgroup callbacks
In this mode, FastNetMon will alert to DefenseFlow when total traffic to the specified hostgroup (protected object) exceeds a specified amount of traffic.
sudo fcli set main notify_script_hostgroup_enabled enable sudo fcli set main notify_script_hostgroup_path /opt/fastnetmon/libraries/radware_plugin/radware_notify_script sudo fcli commit
Run test block:
sudo fcli set hostgroup_block test_total_group
To unblock, list all blocks:
sudo fcli show hostgroup_block
And unblock it using the UUID from the previous command:
sudo fcli delete hostgroup_block {uuid}
Known issues
In the current version of integration, DefenseFlow cannot withdraw an announce when the source networks list in the unblock callback does not match to source networks in the block callback. We suggest disabling this option for now:
"skip_source_networks": true