FastNetMon Advanced quick start In this document we could help you to setup FastNetMon in sflow, netflow / ipfix or mirror mode. At this step you should have installed FastNetMon. First of all, you need to start fcli configuration toolkit: sudo -i fcli You need to finish this steps for all available capture methods (sflow, NetFlow, IPFIX, Mirror). Please enumerate all your networks in CIDR form: fcli> set main networks_list 11.22.33.0/22 We definitely need this information because we could not extract this information from traffic automatically. Please enable sflow plugin: fcli>set main sflow enable Then please specify port for sflow capture (6343 is default port): fcli> set main sflow_ports 6343 Then specify interface for listening (0.0.0.0 is default): fcli>set main sflow_host 0.0.0.0 Apply changes and restart daemon: fcli> commit After this steps you need to configure sflow on sflow agent s side (switch, router, server) to configured port. Please be careful with iptables rules!
Please enable netflow plugin: fcli> set main netflow enable Then please specify port for netflow capture (2055 is default port): fcli> set main netflow_ports 2055 Then specify interface for listening (0.0.0.0 is default): fcli> set main netflow_host 0.0.0.0 Urgent remark about Netflow sampling. FastNetMon could automatically extract sampling rate from Netflow v5, v9 and IPFIX but in some rare cases you should specify it explicitly: fcli> set main netflow_sampling_ratio 10 Also you should carefully review your active and inactive timeouts from Netflow agent side and set them to smallest possible. Then you need to select maximum value from them and use it for average_calculation_time option in seconds. Without this changes FastNetMon will work incorrectly because correct bandwidth calculation is too important for it. fcli> set main average_calculation_time XXX fcli> set main average_calculation_time_for_subnets XXX Apply changes and restart daemon: fcli> commit After this steps you need to configure Netflow / IPFIX on agent s side (switch, router, server) to configured port. Please be careful with iptables rules! In this mode you need to configure port mirror / SPAN / TAP from your switch or router device. It s worth to mention that FastNetMon has complete support only for popular Intel NIC s (powered by igb, ixgbe drivers) based on X350 and 82599 controllers.
As first step, please extract all available interfaces for your system: fcli> show interfaces Please prepare separate interface for management connection with FastNetMon because we could not use same port for traffic mirror and management and FastNetMon will refuse such configuration. Enable port mirror plugin: fcli> set main mirror_netmap enable Enable it for specific port: set main interfaces em1 If you are using sample port mirroing please specify sampling rate manually: fcli> set main netmap_sampling_ratio 1 If you are happy customer of boxes with cropped mirror support you could enable their support with (in this more router mirror only first X bytes of each packet): fcli> set main netmap_read_packet_length_from_ip_header enable Then enable port mirroring on router, switch side. First of all you could check traffic counters: fcli> show total_traffic_counters In normal case you should see non zero counters for incoming and outgoing traffic. Other traffic means nor source nor destination is known to be part of our list of networks. Internal traffic is traffic where source and destination both belongs to your list of networks. Also you could check load per subnet: fcli> show network_counters Or for top 10 hosts in your network: fcli> show host_counters bytes outgoing
And that s all J Then you could move to next step! You could specify one or multiple emails to get notifications about detected DDoS attacks. I recommend you to use local SMTP server in your network but in some cases you also could use Gmail or other public mail services but keep in mind that in case of DDoS you could have reduced connectivity and external mail service may fail to deliver notification. fcli> set main email_notifications_enabled enable fcli> set main email_notifications_tls enable fcli> set main email_notifications_auth enable fcli> set main email_notifications_port 587 fcli> set main email_notifications_host smtp.gmail.com fcli> set main email_notifications_from mynotificationemail@gmail.com fcli> set main email_notifications_username mynotificationemail @gmail.com fcli> set main email_notifications_password please_keep_it_secret fcli> set main email_notifications_recipients noc@yourcompany.com fcli> set main email_notifications_recipients tech@yourcompany.com Then you could use this command and send test email to configured notification emails: fcli> set email_test Then you could get notifications about all block and automatic unblock actions (if enabled). Also FastNetMon could call notify script which calls when DDoS arrives. You could use it for integration with third-part applications or monitoring systems. Then please install mail tool if not installed:
sudo apt-get install -y bsd-mailx Then open example notify script with favorite editor /etc/fastnetmon/scripts/notify_about_attack.sh and specify your email in field: email_notify. Then try to run it manually for ban action: echo ban_details /etc/fastnetmon/scripts/notify_about_attack.sh 11.22.33.44 incoming 100500 ban And try to run it manually for unban (we do not have details in this case): /etc/fastnetmon/scripts/notify_about_attack.sh 11.22.33.44 incoming 100500 unban Enable this action in FastNetMon: fcli> set main notify_script_path /etc/fastnetmon/scripts/notify_about_attack.sh fcli> set main notify_script_enabled enable As example we will block hosts which are exceeding 100 mbps bandwidth consumption. fcli> set hostgroup global threshold_mbps 100 fcli> set hostgroup global ban_for_bandwidth enable Enable ban actions for global host group: fcli> set hostgroup global enable_ban enable Enable ban actions globally: fcli> set main enable_ban enable Also I recommend to enable pcap dump collection for attacks: fcli> set main collect_attack_pcap_dumps enable And finally commit changes:
fcli> commit Then you could check blocks for hosts which exceeds this threshold: fcli> show blackhole That s all ;) FastNetMon has bundled support for BGP announces and it could announce attacked host with BGP and use BGP flow spec for dine grained DDoS filtering. In this part we could describe configuration for BGP unicast. For this manual you need to configure BGP peering connection from your router side and you need to know all following data: Peering IP for FastNetMon ASN for FastNetMon Router s IP Router s ASN Community number used for Blackhole at router side As first step please enable BGP support: fcli> set main gobgp enable Enable announces of host: fcli> set main gobgp_announce_host enable Then specify blackhole community used in your network (I personally encourage you to use recommended by RFC 7999 number, 666). Please use only 16 bit ASN numbers (< 65535) for communities here: fcli> set main gobgp_community_host 65001:666 Then we need to create new BGP peering session: fcli> set bgp connection_to_my_router And configure it (if you are using different from management IP for peering you need to configure it manually for your Ubuntu instance):
fcli> set bgp connection_to_my_router local_asn 65001 fcli> set bgp connection_to_my_router remote_asn 65001 fcli> set bgp connection_to_my_router local_address 11.22.33.44 fcli> set bgp connection_to_my_router remote_address 22.33.44.55 Then enable support for IPv4 unicast for this device explicitly: fcli> set bgp connection_to_my_router ipv4_unicast enable Finally, enable this peering connection: fcli> set bgp connection_to_my_router active enable And then we need to commit changes to FastNetMon and BGP daemon configuration: fcli> commit After this it s nice to check that we could announce IP s correctly. We could ban some test IP for it: fcli> set blackhole 11.22.33.44 And check BGP daemon active announces list: /opt/fastnetmon/libraries/gobgp_1_4_0_git/gobgp global rib Network Next Hop AS_PATH Age Attrs *> 11.22.33.44/32 0.0.0.0 00:00:47 [{Origin:?} {Communities: 65001:666}] Also you could check neighbors status this way: /opt/fastnetmon/libraries/gobgp_1_4_0_git/gobgp neighbor For this step you need to have working BGP unicast configuration. Please enable flow spec AFI on router s side and then we could start! Enable flow spec for your peering connection:
fcli> set bgp connection_to_my_router ipv4_flowspec enable Enable flow spec globally: fcli> set main gobgp_flow_spec_announces enable Also we could specify action type for FastNetMon s announces (accept, discard or rate-limit): fcli> set main gobgp_flow_spec_default_action discard For rate-limit you could specify actual rate (meaning of rate is depends on used vendor): fcli> set main gobgp_flow_spec_rate_limit_value 1000 Commit changes: fcli> commit Then we could prepare custom announce: fcli> set flowspec '{ "source_prefix": "4.0.0.0/24", "destination_prefix": "127.0.0.0/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "ratelimit", "action": { "rate": 1024 } }' And check BGP daemon output: /opt/fastnetmon/libraries/gobgp_1_4_0_git/gobgp global rib -a ipv4-flow Network Next Hop AS_PATH Age Attrs *> [destination:127.0.0.0/24][source:4.0.0.0/24][protocol: tcp][destinationport: =80][source-port: =53 =5353][tcp-flags: syn][packet-length: =777 =1122][fragment: is-fragment dont-fragment]fictitious 00:01:36 [{Origin:?} {Extcomms: [discard]}]