18.07.2020

FastNetMon community on VyOS Rolling 1.3

We’re happy to announce that VyOS routing platform have got native support for DDoS detection powered by FastNetMon community. You do not need any additional steps, your VyOS 1.3 rolling (starting from 1st of July 2020) setup already has FastNetMon installed and you just need to enable it.

First of all, please switch VyOS in configuration mode using “configure” command and then apply following commands:

# Enable Mirror capture mode
set service ids ddos-protection mode mirror

# Add all your networks
set service ids ddos-protection network 192.168.1.119/32

# Add all interfaces to listen on, we recommend monitoring upstream interfaces
set service ids ddos-protection listen-interface eth0 

# Enable incoming DDoS detection, for enabling outgoing please use "out"
set service ids ddos-protection direction in

# Specify thresholds after crossing any of them specific /32 host in your network will be blocked
set service ids ddos-protection threshold mbps 50
set service ids ddos-protection threshold pps 10000
set service ids ddos-protection threshold fps 1000

commit
save

After these steps, you will have FastNetMon up and running and you can use fastnetmon_client tool to monitor traffic per host and check for blocked hosts:

To investigate any problems with FastNetMon, we recommend checking log file /var/log/fastnetmon.log

To restart FastNetMon you can use this command:

 sudo systemctl restart fastnetmon

When FastNetMon detects an attack, it can call script which can do variety of actions. To enable this option, please create basic script at /etc/notify_about_attack.sh with following content:

#!/usr/bin/env bash

# This script will get following params:
#  $1 client_ip_as_string
#  $2 data_direction
#  $3 pps_as_string
#  $4 action (ban or unban)


if [ "$4" = "unban" ]; then
    # No details arrived to stdin here
    # Unban actions if used
    exit 0
fi

#
# For ban and attack_details actions we will receive attack details to stdin
# if option notify_script_pass_details enabled in FastNetMon's configuration file
# 
# If you do not need this details, please set option notify_script_pass_details to "no".
#
# Please do not remove "cat" command if you have notify_script_pass_details enabled, because
# FastNetMon will crash in this case (it expect read of data from script side).
#
if [ "$4" = "ban" ]; then
    cat > /dev/null
    wall "FastNetMon Community: IP $1 blocked because $2 attack with power $3 pps"
    exit 0
fi

if [ "$4" == "attack_details" ]; then
    cat > /dev/null
    wall "FastNetMon Community: IP $1 blocked because $2 attack with power $3 pps"
    
    exit 0
fi

Then please set exec bit for this file:

sudo chmod +x /etc/notify_about_attack.sh

And then enable it in VyOS:

configure
# Specify script which will be called when FastNetMon detects an
set service ids ddos-protection alert-script /etc/notify_about_attack.sh
commit
save

After enabling this script, you will see alerts about attack in console:

Broadcast message from root@vyos (somewhere) (Sat Jul 18 15:27:31 2020):                                                          
FastNetMon Community: IP 192.168.1.119 blocked because incoming attack with power 4548 pps

You can check our addons and enable different options to alert via Telegram, Slack and any other system