08.05.2020

FastNetMon Flow spec mitigation mode algorithm details

In BGP Flow spec mode FastNetMon can detect and isolate patterns of malicious traffic. But it does not use any hardcoded rules in this case. It uses same logic as blackhole mode based on threshold. But instead of blocking host completely it collects dumps of all packets and then feed this traffic to detection engine.

It tries hard to find best match using all possible configurations of BGP Flow spec rules, for example:

  • almost all packets come from IP XX to port YY
  • almost all packets use fragmentation flag and come from port ZZ
  • almost all packets use protocol M and come from IP XX

After that, FastNetMon orders all rules by number of packets / bytes which match each rule. For example, it may get following intermediate results:

  • port=53 protocol=udp 100 packets 10 packets
  • port=53 source_ip=11.22.33.44 protocol=udp 5 packets
  • port=53 source_ip=11.33.88.22 protocol=udp 5 packets

FastNetMon is interested in finding best possible (which covers as many packets as possible) and shortest rule (which has less parameters ).

In this example FastNetMon will select first rule because it shortest and has much more packets that other.

After finding best coverage rule for malicious traffic, FastNetMon uses optimization engine to improve rule and aggregate it even more to match more traffic and then it announces it to BGP Flow Spec router and then it filters out this malicious traffic.