17.09.2018

FastNetMon attack detection logic for BGP blackhole mode

This guide will provide details information about attack detection logic for different cases.

FastNetMon checks all hosts against specified in hostgroup configuration threshold every second. When any your host crosses threshold, FastNetMon creates “traffic capture request”.

After capture request creation, FastNetMon will collect all traffic to specified host. By default, FastNetMon captures 500 (for mirror/SPAN mode) or 20 (for sFlow v5, Netflow, IPFIX) packets.

Also, you can change this value this way:

If it cannot capture this amount of packets for 120 second (you cannot change this value) it removes “traffic capture request” as orphaned and removes it completely.

You can find such cases in log file /var/log/fastnetmon/fastnetmon.log:

In this case, FastNetMon declares attack as false positive and does not apply any actions.

If you use sampled Netflow/IPFIX/sFlow v5 you can reduce this value to 2-3 packets or even set it to single packet. In this case, FastNetMon will block host almost immediately after receiving initial alert.