FastNetMon Integration

The following protection scheme is described:

  • FastNetMon analyzes traffic, detects attacks and calls the script at the beginning and end of attacks.
  • The script analyzes the FastNetMon report and switches the protection status on MITIGATOR depending on the characteristics of the attack.

FastNetMon overview

FastNetMon detects the beginning, the end and the characteristics of the attack by analyzing traffic that can be taken from network interfaces or come from aggregators (NetFlow, sFlow). FastNetMon does not detect the source of the attack (sender IP addresses or packet attributes), but it is possible to determine the type of attack and which resources need to be protected.

FastNetMon can call an external program on various events:

  • The beginning of attack (ban);
  • report on attack (attack_details);
  • the end of the attack (unban).

The attack report includes (example):

  • attacked IP address (protected resource);
  • attack vector (anomaly of incoming or outgoing traffic);
  • type of attack (SYN flood, ICMP flood, IP fragmentation or unknown);
  • the protocol at the level of which the attack occurs;
  • attack traffic statistics;
  • (optional) a sample of the attack traffic in text form.

FastNetMon srtup

The simplest option for setting up FastNetMon for testing is described here. If you have a deployed FastNetMon, it is enough to configure the integration (highlighted in the text) in this step.

Let’s intall FastNetMon (Debian, Ubuntu):

apt install -y fastnetmon

The network of protected resources (for example, 10.0.2.0/24) must be written to a file:

echo "10.0.2.0/24" > /etc/networks_list

FastNetMon is configured in /etc/fastnetmon.conf. There are many settings with comments in Distribution version; we will make simpler settings (finished file).

We will capture traffic through libpcap from the span0 interface (slow method for tests only!):

pcap = on
interfaces = span0

Let’s configure the analysis of incoming traffic only:

process_incoming_traffic = on
process_outgoing_traffic = off

Notify about attacks; check if the attack has ended at least once every 30 seconds, and if it has, notify about it:

enable_ban = on
ban_time = 30
unban_only_if_attack_finished = on

The most important thing is to call the integration script on events related to attacks. The script needs details about the attack (report), while package descriptions are not needed:

notify_script_path = /usr/local/bin/fastnetmon.py
notify_script_pass_details = on
ban_details_records_count = 0

Let’s disable the capture of traffic samples in PCAP format and their processing. In practice, this can be useful, but for our purposes it is not necessary:

collect_attack_pcap_dumps = off
process_pcap_attack_dumps_with_dpi = off

Finally, traffic limits. For simplicity, we will limit only the total traffic in packets and bytes. You can also set limits separately on TCP, UDP, and ICMP traffic, as well as on the number of connections (you need to enable their tracking):

ban_for_pps = on
ban_for_bandwidth = on

threshold_pps = 20000
threshold_mbps = 1000

Also, FastNetMon allows you to set different limits for groups of subnets, but during the notification it will not be known for which group the limit has been exceeded - this can only be determined by the attacked address.

Configuring the response script

FastNetMon calls fastnetmon.py (download) which parses parameters and attack report to manage MITIGATOR via mitigator.py (download)).

Let’s place the scripts on the machine with FastNetMon:

wget https://docs.mitigator.ru/v22.06/integrate/mitigator.py -O /usr/local/bin
wget https://docs.mitigator.ru/v22.06/integrate/fastnetmon/fastnetmon.py \
        -O /usr/local/bin

In /usr/local/bin/fastnetmon.py you need to configure access to Mitigator:

SERVER = 'mitigator.local'
USER = 'admin'
PASSWORD = 'admin'
EXTRA = ['--no-verify']
LOG = '/var/log/fastnetmon-mitigator.log'

In addition to the MITIGATOR address (SERVER), login (USER) and password (PASSWORD), you can specify additional options in mitigator.py. In this case, TLS verification is disabled, which is relevant if the certificate is self-signed.

The policy_by_ip() function translates the attacked resource’s IP address into the MITIGATOR policy ID (42 of policies/42 in the URL). The example always selects the default policy:

def policy_by_ip(ip):
    return 1

The script works like this:

  • When an attack starts, it turns on the protection policy.
  • According to the attack report:
    • in case of SYN flood or attack on TCP, enable TCP countermeasure;
    • in case of ICMP flood or attack on ICMP, enable the ACL countermeasure
    • otherwise, enable the SORB countermeasure.
  • Turn off TCP countermeasures, ACLs, SORBs, and security policy when the attack ends.

The process relies on the fact that TCP is protected by a special countermeasure, ICMP reset can be configured in ACL (which is not recommended, but acceptable under attack), and other traffic can be limited by volume.

Checking work

Let’s enable general protection on MITIGATOR.

In the policy, we will set by default:

  • drop icmp rule for the ACL countermeasure;
  • Threshold for packets as 100 in the SORB countermeasures, sending trespassers to the temporary black list.

We won’t enable policy protection or countermeasures - the script will do that.

Let’s start ICMP flood (using the hping3 utility from the hping3 package) using the victim address from the protected subnet:

hping3 --icmp --flood 10.0.2.254

After a few seconds, FastNetMon will detect the attack, policy protection and ACL countermeasure will be enabled on MITIGATOR, and traffic will start dropping.

After the attack is stopped, the defenses will be turned off in 30 seconds.

In case of any problems, errors will be written to the FastNetMon log (/var/log/fastnetmon.log) and script log (/var/log/fastnetmon-mitigator.log).