We’re happy to announce that VyOS routing platform have got native support for DDoS detection powered by FastNetMon community. You do not need any additional steps, your VyOS setup already has FastNetMon installed and you just need to enable it.
First of all, please switch VyOS in configuration mode using “configure” command and then apply following commands:
# Enable Mirror capture mode set service ids ddos-protection mode mirror # Add all your networks set service ids ddos-protection network 192.168.1.119/32 # Add all interfaces to listen on, we recommend monitoring upstream interfaces set service ids ddos-protection listen-interface eth0 # Enable incoming DDoS detection, for enabling outgoing please use "out" set service ids ddos-protection direction in # Specify thresholds after crossing any of them specific /32 host in your network will be blocked set service ids ddos-protection threshold mbps 50 set service ids ddos-protection threshold pps 10000 set service ids ddos-protection threshold fps 1000 commit save
After these steps, you will have FastNetMon up and running and you can use fastnetmon_client tool to monitor traffic per host and check for blocked hosts:
To investigate any problems with FastNetMon, we recommend checking log file /var/log/fastnetmon.log
To restart FastNetMon you can use this command:
sudo systemctl restart fastnetmon
When FastNetMon detects an attack, it can call script which can do variety of actions. To enable this option, please create basic script at /etc/notify_about_attack.sh with following content:
#!/usr/bin/env bash
# This script will get following params:
# $1 client_ip_as_string
# $2 data_direction
# $3 pps_as_string
# $4 action (ban or unban)
if [ "$4" = "unban" ]; then
# No details arrived to stdin here
# Unban actions if used
exit 0
fi
#
# For ban and attack_details actions we will receive attack details to stdin
# if option notify_script_pass_details enabled in FastNetMon's configuration file
#
# If you do not need this details, please set option notify_script_pass_details to "no".
#
# Please do not remove "cat" command if you have notify_script_pass_details enabled, because
# FastNetMon will crash in this case (it expect read of data from script side).
#
if [ "$4" = "ban" ]; then
cat > /dev/null
wall "FastNetMon Community: IP $1 blocked because $2 attack with power $3 pps"
exit 0
fi
if [ "$4" == "attack_details" ]; then
cat > /dev/null
wall "FastNetMon Community: IP $1 blocked because $2 attack with power $3 pps"
exit 0
fi
Then please set exec bit for this file:
sudo chmod +x /etc/notify_about_attack.sh
And then enable it in VyOS:
configure # Specify script which will be called when FastNetMon detects an set service ids ddos-protection alert-script /etc/notify_about_attack.sh commit save
After enabling this script, you will see alerts about attack in console:
Broadcast message from root@vyos (somewhere) (Sat Jul 18 15:27:31 2020): FastNetMon Community: IP 192.168.1.119 blocked because incoming attack with power 4548 pps
You can check our addons and enable different options to alert via Telegram, Slack and any other system