FastNetMon Integration
The following protection scheme is described:
- FastNetMon analyzes traffic, detects attacks and calls the script at the beginning and end of attacks.
- The script analyzes the FastNetMon report and switches the protection status on MITIGATOR depending on the characteristics of the attack.
FastNetMon overview
FastNetMon detects the beginning, the end and the characteristics of the attack by analyzing traffic that can be taken from network interfaces or come from aggregators (NetFlow, sFlow). FastNetMon does not detect the source of the attack (sender IP addresses or packet attributes), but it is possible to determine the type of attack and which resources need to be protected.
FastNetMon can call an external program on various events:
- The beginning of attack (
ban
); - report on attack (
attack_details
); - the end of the attack (
unban
).
The attack report includes (example):
- attacked IP address (protected resource);
- attack vector (anomaly of incoming or outgoing traffic);
- type of attack (SYN flood, ICMP flood, IP fragmentation or unknown);
- the protocol at the level of which the attack occurs;
- attack traffic statistics;
- (optional) a sample of the attack traffic in text form.
FastNetMon srtup
The simplest option for setting up FastNetMon for testing is described here. If you have a deployed FastNetMon, it is enough to configure the integration (highlighted in the text) in this step.
Let’s intall FastNetMon (Debian, Ubuntu):
apt install -y fastnetmon
The network of protected resources (for example, 10.0.2.0/24) must be written to a file:
echo "10.0.2.0/24" > /etc/networks_list
FastNetMon is configured in /etc/fastnetmon.conf
.
There are many settings with comments in Distribution version;
we will make simpler settings (finished file).
We will capture traffic through libpcap from the span0
interface
(slow method for tests only!):
pcap = on
interfaces = span0
Let’s configure the analysis of incoming traffic only:
process_incoming_traffic = on
process_outgoing_traffic = off
Notify about attacks; check if the attack has ended at least once every 30 seconds, and if it has, notify about it:
enable_ban = on
ban_time = 30
unban_only_if_attack_finished = on
The most important thing is to call the integration script on events related to attacks. The script needs details about the attack (report), while package descriptions are not needed:
notify_script_path = /usr/local/bin/fastnetmon.py
notify_script_pass_details = on
ban_details_records_count = 0
Let’s disable the capture of traffic samples in PCAP format and their processing. In practice, this can be useful, but for our purposes it is not necessary:
collect_attack_pcap_dumps = off
process_pcap_attack_dumps_with_dpi = off
Finally, traffic limits. For simplicity, we will limit only the total traffic in packets and bytes. You can also set limits separately on TCP, UDP, and ICMP traffic, as well as on the number of connections (you need to enable their tracking):
ban_for_pps = on
ban_for_bandwidth = on
threshold_pps = 20000
threshold_mbps = 1000
Also, FastNetMon allows you to set different limits for groups of subnets, but during the notification it will not be known for which group the limit has been exceeded - this can only be determined by the attacked address.
Configuring the response script
FastNetMon calls fastnetmon.py
(download) which parses
parameters and attack report to manage MITIGATOR via mitigator.py
(download)).
Let’s place the scripts on the machine with FastNetMon:
wget https://docs.mitigator.ru/v23.08/integrate/mitigator.py -O /usr/local/bin
wget https://docs.mitigator.ru/v23.08/integrate/fastnetmon/fastnetmon.py \
-O /usr/local/bin
In /usr/local/bin/fastnetmon.py
you need to configure access to MITIGATOR:
SERVER = 'mitigator.local'
USER = 'admin'
PASSWORD = 'admin'
EXTRA = ['--no-verify']
LOG = '/var/log/fastnetmon-mitigator.log'
In addition to the MITIGATOR address (SERVER
), login (USER
) and password
(PASSWORD
), you can specify additional options in mitigator.py
. In this
case, TLS verification is disabled, which is relevant if the certificate is
self-signed.
The policy_by_ip()
function translates the attacked resource’s IP address
into the MITIGATOR policy ID (42 of policies/42
in the URL). The example
always selects the default policy:
def policy_by_ip(ip):
return 1
The script works like this:
- When an attack starts, it turns on the protection policy.
- According to the attack report:
- in case of SYN flood or attack on TCP, enable TCP countermeasure;
- in case of ICMP flood or attack on ICMP, enable the ACL countermeasure
- otherwise, enable the SORB countermeasure.
- Turn off TCP countermeasures, ACLs, SORBs, and security policy when the attack ends.
The process relies on the fact that TCP is protected by a special countermeasure, ICMP reset can be configured in ACL (which is not recommended, but acceptable under attack), and other traffic can be limited by volume.
Checking work
Let’s enable general protection on MITIGATOR.
In the policy, we will set by default:
drop icmp
rule for the ACL countermeasure;- Threshold for packets as 100 in the SORB countermeasures, sending trespassers to the temporary black list.
We won’t enable policy protection or countermeasures - the script will do that.
Let’s start ICMP flood (using the hping3
utility from the hping3
package) using
the victim address from the protected subnet:
hping3 --icmp --flood 10.0.2.254
After a few seconds, FastNetMon will detect the attack, policy protection and ACL countermeasure will be enabled on MITIGATOR, and traffic will start dropping.
After the attack is stopped, the defenses will be turned off in 30 seconds.
In case of any problems, errors will be written to the FastNetMon log
(/var/log/fastnetmon.log
) and script log
(/var/log/fastnetmon-mitigator.log
).