To achieve better DDoS detection FastNetMon offers number of predefined threshold types. For each entity (host or group of hosts) in your network FastNetMon maintains set of counters for different traffic types. FastNetMon calculates all counter types for incoming and outgoing traffic.
Global counters:
- Packets per second
- Mbits per second
- Flow per second (not available for sampled Netflow/IPFIX and sFlow)
Per protocol packet counters:
- TCP packets per second
- UDP packets per second
- ICMP packets per second
- TCP SYN packets per second
Per protocol bandwidth counters:
- TCP mbits per second
- TCP SYN mbits per seconds
- UDP mbits per second
- ICMP mbits per second
You may set thresholds for incoming and outgoing traffic independently, please check this guide to learn more.
Please note that TCP SYN counters count all packets / flows with SYN flag set. I.e. it will be incremented in cases even when other flags are set too (like SYN+ACK or SYN+ACK+PSH).
Please note that versions before 2.0.342 did not count ICMPv6 traffic for ICMP threshold.
You can use any of these counters to trigger DDoS alert. In table below you can find option to enable particular threshold and field name for setting threshold itself.
| Option to enable | Threshold value name |
| ban_for_pps | threshold_pps |
| ban_for_bandwidth | threshold_mbps |
| ban_for_flows | threshold_flows |
| ban_for_tcp_pps | threshold_tcp_pps |
| ban_for_udp_pps | threshold_udp_pps |
| ban_for_icmp_pps | threshold_icmp_pps |
| ban_for_tcp_bandwidth | threshold_tcp_mbps |
| ban_for_udp_bandwidth | threshold_udp_mbps |
| ban_for_icmp_bandwidth | threshold_icmp_mbps |
| ban_for_tcp_syn_pps | threshold_tcp_syn_pps |
| ban_for_tcp_syn_bandwidth | threshold_tcp_syn_mbps |
In addition to thresholds for incoming traffic FastNetMon offers option to set independent thresholds for outgoing traffic:
| Option to enable | Threshold value name |
| ban_for_pps_outgoing | threshold_pps_outgoing |
| ban_for_bandwidth_outgoing | threshold_mbps_outgoing |
| ban_for_flows_outgoing | threshold_flows_outgoing |
| ban_for_tcp_pps_outgoing | threshold_tcp_pps_outgoing |
| ban_for_udp_pps_outgoing | threshold_udp_pps_outgoing |
| ban_for_icmp_pps_outgoing | threshold_icmp_pps_outgoing |
| ban_for_tcp_bandwidth_outgoing | threshold_tcp_mbps_outgoing |
| ban_for_udp_bandwidth_outgoing | threshold_udp_mbps_outgoing |
| ban_for_icmp_bandwidth_outgoing | threshold_icmp_mbps_outgoing |
| ban_for_tcp_syn_pps_outgoing | threshold_tcp_syn_pps_outgoing |
| ban_for_tcp_syn_bandwidth_outgoing | threshold_tcp_syn_mbps_outgoing |
FastNetMon evaluates all enabled thresholds using logical operator OR. If any of enabled threshold triggers then FastNetMon declares it as an attack.
To set threshold for some hostgroup you can use following syntax:
sudo fcli set hostgroup [hostgroup name] [option name] true sudo fcli set hostgroup [hostgroup name] [threshold name] 1000
For example, to enable limit by UDP packets per second you can use:
sudo fcli set hostgroup global ban_for_udp_pps true sudo fcli set hostgroup global threshold_udp_pps 1000 sudo fcli commit
If you’re looking for more flexible thresholds, please check this page.