We’ve introduced a traffic buffer, storing every single packet received by FastNetMon in a very efficient storage. When FastNetMon detects an attack (when a host crosses a threshold), we use a traffic buffer to retrieve all flows or packets arriving in the network before attack detection. This way, we can immediately trigger a blackhole or BGP Flow Spec announce, and we do not need to wait for more traffic to arrive.
It reduces attack detection time by at least 15-90 seconds.
To use all capabilities on this page, you need to upgrade FastNetMon to version 2.0.314.
To enable this logic, you will need:
sudo fcli set main traffic_buffer enable
Traffic buffer will keep all traffic for sFlow, Netflow, IPFIX and Tera Flow protocols by default. To enable a traffic buffer for port mirror, you need to set this flag:
sudo fcli set main traffic_buffer_port_mirror true
Pay careful attention when using this option in a non-sampled port mirror setup, as the number of packets will be very high and it may degrade performance. We do recommend using this flag only for sampled port mirror setups.
Next, set buffer size:
sudo fcli set main traffic_buffer_size 100000
Buffer size calculation may be tricky as it should accommodate all traffic processed by FastNetMon for average_calculation_time seconds.
To get the number for a specific installation, you will need to get the number of arriving flows per second in the following way:
sudo fcli show system_counters |grep netflow_all_protocols_total_flows_speed
For sFlow-based capture, you need to usea different value:
sudo fcli show system_counters | grep sflow_raw_packet_headers_total_speed
And then multiply one of these values by average_calculation_time. After that, we recommend doubling or even tripling this value to cover possible spikes during peak time or attacks.
In addition to this, we have a runtime metric which shows how long, in seconds, FastNetMon can keep your traffic in memory:
sudo fcli show system_counters | grep traffic_buffer_duration
Example output:
traffic_buffer_duration_seconds_ipv4 77 traffic_buffer_duration_seconds_ipv6 0
We do not recommend using the traffic_buffer capability in Flow Spec mitigation mode in a production environment, as it may have detection issues, but feel free to try it in a lab environment.
Please note that due to performance reasons traffic buffer does not store packet payload, and the configuration option collect_attack_pcap_dumps will not store pcap dumps when the traffic buffer is enabled.
Starting from 2.0.373, you can getthe content of the traffic buffer for a specific IP using the following commands:
sudo fcli show traffic_buffer 10.1.1.1