To achieve better DDoS detection FastNetMon offers number of threshold types. For each host (/32 for IPv4 and /128 for IPv6) in your network FastNetMon maintains set of counters for different traffic types. FastNetMon calculates all counter types for incoming and outgoing traffic.
Global counters:
- Packets per second
- Mbits per second
- Flow per second (not available for sampled Netflow/IPFIX and sFlow)
Per protocol packet counters:
- TCP packets per second
- UDP packets per second
- ICMP packets per second
Per protocol bandwidth counters:
- TCP mbits per second
- UDP mbits per second
- ICMP mbits per second
You can use any of these counters to trigger DDoS alert. In table below you can find option to enable particular threshold and field name for setting threshold itself .
Option to enable | Threshold value name |
ban_for_pps | threshold_pps |
ban_for_bandwidth | threshold_mbps |
ban_for_flows | threshold_flows |
ban_for_tcp_pps | threshold_tcp_pps |
ban_for_udp_pps | threshold_udp_pps |
ban_for_icmp_pps | threshold_icmp_pps |
ban_for_tcp_bandwidth | threshold_tcp_mbps |
ban_for_udp_bandwidth | threshold_udp_mbps |
ban_for_icmp_bandwidth | threshold_icmp_mbps |
To set threshold for some hostgroup you can use following syntax:
1 2 |
sudo fcli set hostgroup [hostgroup name] [option name] enable sudo fcli set hostgroup [hostgroup name] [threshold name] 1000 |
For example, to enable limit by UDP packets per second you can use:
1 2 3 |
sudo fcli set hostgroup global ban_for_udp_pps enable sudo fcli set hostgroup global threshold_udp_pps 1000 sudo fcli commit |