In BGP Flow spec mode FastNetMon can detect and isolate patterns of malicious traffic and filter it out using high performance filters on your routers.
As first step of detection Flow Spec logic relies on thresholds. FastNetMon checks all hosts against specified in hostgroup configuration threshold every second. When any your host crosses threshold, FastNetMon creates “traffic capture request”.
After capture request creation, FastNetMon will collect all traffic to specified host. By default, FastNetMon captures 500 (for mirror/SPAN mode) or 20 (for sFlow v5, Netflow, IPFIX) packets.
By default FastNetMon captures all traffic to / from specific host and it may lead to blocks of legitimate traffic in some rare cases. You can switch it to new logic which process only traffic which actually triggered threshold (i.e. only UDP traffic when attack was triggered by UDP threshold) and it can be enabled this way:
sudo fcli set main threshold_specific_ban_details true sudo fcli commit
You can change number of collected packets that way but we normally do not recommend setting it to very low value as it may cause issues for pattern detection:
sudo fcli set main ban_details_records_count 5 sudo fcli commit
If it cannot capture this amount of packets for 120 second (you cannot change this value) it removes “traffic capture request” as orphaned and removes it completely.
You can find such cases in log file /var/log/fastnetmon/fastnetmon.log:
[WARN] We've found orphaned bucket for IP: 10.251.23.1 [WARN] It has 3 parsed packets [WARN] And 3 raw packets [WARN] We will remove it
In this case, FastNetMon declares attack as false positive and does not apply any actions.
When FastNetMon successfully captures attack sample then tries hard to find best match using all possible configurations of BGP Flow spec rules, for example:
- almost all packets come from IP XX to port YY
- almost all packets use fragmentation flag and come from port ZZ
- almost all packets use protocol M and come from IP XX
After that, FastNetMon orders all rules by number of packets / bytes which match each rule. For example, it may get following intermediate results:
- port=53 protocol=udp 100 packets 10 packets
- port=53 source_ip=126.96.36.199 protocol=udp 5 packets
- port=53 source_ip=188.8.131.52 protocol=udp 5 packets
FastNetMon is interested in finding best possible (which covers as many packets as possible) and shortest rule (which has less parameters ).
In this example FastNetMon will select first rule because it shortest and has much more packets that other.
After finding best coverage rule for malicious traffic it announces it to BGP Flow Spec router and then it filters out this malicious traffic.
In same time FastNetMon excludes all traffic which matches this new Flow Spec rule from processing and starts monitoring if any threshold is crossed again. In this case all traffic of previously known attacks is filtered and it looks for new patterns in this case to address multi vector attacks. If that happens it captures sample of traffic and applies same logic again and again until it filters out attack.
Normally, FastNetMon can create around 5-10 rules for each host to filter out attack.
To learn more about our detection engine we recommend enabling debug logging and then checking /var/log/fastnetmon/fastnetmon.log:
sudo fcli set main logging_level debug sudo fcli commit