The following protection scheme is described:
FastNetMon detects the beginning, the end and the characteristics of the attack by analyzing traffic that can be taken from network interfaces or come from aggregators (NetFlow, sFlow). FastNetMon does not detect the source of the attack (sender IP addresses or packet attributes), but it is possible to determine the type of attack and which resources need to be protected.
FastNetMon can call an external program on various events:
The attack report includes (example):
The simplest option for setting up FastNetMon for testing is described here. If you have a deployed FastNetMon, it is enough to configure the integration (highlighted in the text) in this step.
Let’s intall FastNetMon (Debian, Ubuntu):
apt install -y fastnetmon
The network of protected resources (for example, 10.0.2.0/24) must be written to a file:
echo "10.0.2.0/24" > /etc/networks_list
FastNetMon is configured in
There are many settings with comments in Distribution version;
we will make simpler settings (finished file).
We will capture traffic through libpcap from the
span0 interface (slow method for tests only!):
pcap = on interfaces = span0
Let’s configure the analysis of incoming traffic only:
process_incoming_traffic = on process_outgoing_traffic = off
Notify about attacks; check if the attack has ended at least once every 30 seconds, and if it has, notify about it:
enable_ban = on ban_time = 30 unban_only_if_attack_finished = on
The most important thing is to call the integration script on events related to attacks. The script needs details about the attack (report), while package descriptions are not needed:
notify_script_path = /usr/local/bin/fastnetmon.py notify_script_pass_details = on ban_details_records_count = 0
Let’s disable the capture of traffic samples in PCAP format and their processing. In practice, this can be useful, but for our purposes it is not necessary:
collect_attack_pcap_dumps = off process_pcap_attack_dumps_with_dpi = off
Finally, traffic limits. For simplicity, we will limit only the total traffic in packets and bytes. You can also set limits separately on TCP, UDP, and ICMP traffic, as well as on the number of connections (you need to enable their tracking):
ban_for_pps = on ban_for_bandwidth = on threshold_pps = 20000 threshold_mbps = 1000
Also, FastNetMon allows you to set different limits for groups of subnets, but during the notification it will not be known for which group the limit has been exceeded - this can only be determined by the attacked address.
fastnetmon.py (download) which parses
parameters and attack report to manage MITIGATOR via
Let’s place the scripts on the machine with FastNetMon:
wget https://docs.mitigator.ru/v22.06/integrate/mitigator.py -O /usr/local/bin wget https://docs.mitigator.ru/v22.06/integrate/fastnetmon/fastnetmon.py \ -O /usr/local/bin
/usr/local/bin/fastnetmon.py you need to configure access to Mitigator:
SERVER = 'mitigator.local' USER = 'admin' PASSWORD = 'admin' EXTRA = ['--no-verify'] LOG = '/var/log/fastnetmon-mitigator.log'
In addition to the MITIGATOR address (
SERVER), login (
USER) and password (
you can specify additional options in
mitigator.py. In this case, TLS verification is disabled,
which is relevant if the certificate is self-signed.
policy_by_ip() function translates the attacked resource’s IP address into the MITIGATOR policy ID
policies/42 in the URL). The example always selects the default policy:
def policy_by_ip(ip): return 1
The script works like this:
The process relies on the fact that TCP is protected by a special countermeasure, ICMP reset can be configured in ACL (which is not recommended, but acceptable under attack), and other traffic can be limited by volume.
Let’s enable general protection on MITIGATOR.
In the policy, we will set by default:
drop icmprule for the ACL countermeasure;
We won’t enable policy protection or countermeasures - the script will do that.
Let’s start ICMP flood (using the
hping3 utility from the
hping3 package) using
the victim address from the protected subnet:
hping3 --icmp --flood 10.0.2.254
After a few seconds, FastNetMon will detect the attack, policy protection and ACL countermeasure will be enabled on MITIGATOR, and traffic will start dropping.
After the attack is stopped, the defenses will be turned off in 30 seconds.
In case of any problems, errors will be written to the FastNetMon log
/var/log/fastnetmon.log) and script log