FastNetMon can work in two mutually exclusive modes:
– BGP Blackhole
– BGP Flow spec
In BGP Blackhole mode FastNetMon can announce your own host (or subnet for this host) with specified BGP community. You can use this approach for traffic diversion to cloud scrubbing center or to completely block all (incoming and outgoing) traffic to this host in your network.
In this mode, FastNetMon tracks number of counters for each host in your network (number of bytes, packets and flows per second for different types traffic). And if some your host crosses baseline specified value FastNetMon will create BGP announce automatically. FastNetMon have options to exclude any ban actions for hosts in your network (whitelist). Also, it can ignore traffic related with some remote hosts (whitelist_remote) completely (useful mode to whitelist backup servers). If you need DDoS detection only for incoming or outgoing attack types you can enable only important direction of traffic (process_incoming_traffic and process_outgoing_traffic).
To switch FastNetMon to BGP Flow spec mode you need to enable Flow spec globally (set main gobgp_flow_spec_announces enable) and activate Flow Spec NLRI/family for at least single BGP peering connection (set bgp connection_to_my_router ipv4_flowspec enable).
In this mode FastNetMon also keeps traffic counters for each host in your network but actions executed when some host crosses baseline are different. Instead of immediately blocking host, FastNetMon tries to collect traffic sample (from 20 to 500 packets) for affected host. If it can collect required amount of traffic it uses our own attack detection engine to find attack’s traffic and create filtering rules. This engine works only on L3 and L4 layers and does not have options to check content of packets.
FastNetMon uses statistical approach and can find popular attack types (all kinds of amplification, floods from few IP addresses) easily. But it’s important to have pretty big values for baselines to have significant amount of attack’s traffic in sample.
FastNetMon implements number of optimisations to reduce number of BGP Flow spec rules and uses aggregation to find best match.