New to fastmon....

[Jens Jönsson]

Hi!

Have just setup FastNetMon (CE edition) and it seems to work.

FastNetMon 1.1.9 master git-bd0ca5bce1b3b886033779b9fd3ed49265962787 Try Advanced edition: https://fastnetmon.com

IPs ordered by: packets

Incoming traffic        108767 pps     70 mbps     78 flows

XXX.XXX.XXX.38           28758 pps     18 mbps     17 flows  *banned*

XXX.XXX.XXX.36           28452 pps     18 mbps     14 flows  *banned*

XXX.XXX.XXX.35           16944 pps     11 mbps      9 flows  *banned*

XXX.XXX.XXX.41           12055 pps      7 mbps      5 flows

XXX.XXX.XXX.37            6688 pps      4 mbps      2 flows

XXX.XXX.XXX.40            4105 pps      2 mbps      1 flows

XXX.XXX.XXX.42            3374 pps      2 mbps      1 flows

Outgoing traffic         61205 pps     36 mbps     52 flows

XXX.XXX.XXX.38           16666 pps      9 mbps     10 flows  *banned*

XXX.XXX.XXX.36           15535 pps      9 mbps      8 flows  *banned*

XXX.XXX.XXX.35            9291 pps      5 mbps      4 flows  *banned*

XXX.XXX.XXX.41            6668 pps      4 mbps      3 flows

XXX.XXX.XXX.37            4321 pps      2 mbps      0 flows

XXX.XXX.XXX.42            2643 pps      1 mbps      0 flows

XXX.XXX.XXX.40            2459 pps      1 mbps      0 flows

Internal traffic             0 pps      0 mbps

Other traffic                0 pps      0 mbps

Screen updated in:              0 sec 393 microseconds

Traffic calculated in:          0 sec 301 microseconds

Not processed packets: 0 pps

Ban list:

XXX.XXX.XXX.35/20365 pps incoming at 20_12_20_19:52:32

XXX.XXX.XXX.36/31575 pps incoming at 20_12_20_19:50:34

XXX.XXX.XXX.38/31492 pps incoming at 20_12_20_19:50:26

Except that bandwidth showing is not correct. All the IP-addresses shown are our CGNAT public IP-addresses.
Incoming traffic at 70 mbps corresponds to our upstream bandwidth usage
Outgoing traffic at 36 mbps does not correspond to anything. If its our downstream traffic, it should be 1300 mbps.

It looks to me like I have to adjust some thresholds, since some of the IP-addresses shows up as banned ?

I have configured sflow on our BGP edgerouter, the interface connected to our upstream providers router.

Any help is appreciated :-)

THX

Jens

[Pavel Odintsov]

Hello!

Thank you for detailed email!

Yep, it may show reversed direction as we use our own approach to detect incoming and outgoing direction.

Incoming is traffic which has dst_ip which belongs to your network ranges, outgoing traffic is traffic which has stc_ip which belongs to your ranges.

EdgeRouter uses old Vytatta logic which is known to have issues with sFlow logic.

I can suggest changing sampling rate to 1:1024 or 1:2048.

Also, sFlow can show you only external IP ranges, there are no options to look on internal IPs. To track usage for internal interfaces you need to monitor internal interface instead. 

--
Follow us on social media: Twitter: https://twitter.com/fastnetmon | Facebook: https://www.facebook.com/fastnetmon/ | LinkedIn: https://www.linkedin.com/company/fastnetmon/
---
You received this message because you are subscribed to the Google Groups "FastNetMon user group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fastnetmon+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/cceeba29-1c36-4ee0-b216-0c17c3a25246n%40googlegroups.com.

--

Sincerely yours, Pavel Odintsov

[Jens Jönsson]

Hi Pavel,

Thx for fast answer :-)

SFlow was configured for 1024 sampling rate. Makes no difference.

So Ubiquiti EdgeRouters SFLOW does not work correct ? Or do I misunderstand ?

I want to see what IP-address of the listed (it is usually our GCNAT gateway) is target for DDOS, but from what I see now all are ?
And that is not usefull in any way, or do I misread the output ?

Jens

[Pavel Odintsov]

Hello!

It actually depends what you mean by incorrect. Is it over counting traffic? Does it under counting traffic? How much? sFlow provides extremely precise traffic bandwidth metrics in almost all cases. When it does not then it means that your device implements something wrong. 

FastNetMon tracks traffic from / to your own IP address space. That's the main point of it. That's only one thing which can be changed in case of volumetric attack. And as only one mitigation option it blocks your own IP address and it's only things which can be implemented in such circumstances.

Visibility of attackers provides no insights for multiple reasons:

1) There are thousands of them or even hundreds of thousands (i.e. amplification attack vectors)

2) The are not real (spoofing attack vectors) 

3) Even if you know them you cannot cut them on upstream side

For these reasons FastNetMon tracks only traffic from / to your hosts.

To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/b88e2164-50f5-448f-a20a-da524f3efac1n%40googlegroups.com.

[Jens Jönsson]

Pavel,

I understand that. But it is telling me that attacks are going on constantly. It's not.

We did have a small DDOS attack today. That was why I stumbled over FastNetMon and someone else did also point me to it.
I don't know how threshold is set, before it bans IP. But it certainly does not look correct to me. We don't have constantly ongoing DDOS against our CGNAT devices as shown.

This is from the log...

2020-12-20 21:21:01,632 [INFO] Attack with direction: incoming IP: XXX.XXX.XXX.41 Power: 20224

2020-12-20 21:21:01,632 [INFO] Call script for ban client: XXX.XXX.XXX.41

2020-12-20 21:21:01,632 [INFO] Script for ban client is finished: XXX.XXX.XXX.41

2020-12-20 21:21:01,636 [INFO] Subprocess exit code: 0

2020-12-20 21:21:06,034 [INFO] Attack with direction: incoming IP: XXX.XXX.XXX.41 Power: 20224 traffic samples collected

2020-12-20 21:21:06,034 [INFO] Call script for notify about attack details for: XXX.XXX.XXX.41

2020-12-20 21:21:06,034 [INFO] Script for notify about attack details is finished: XXX.XXX.XXX.41

2020-12-20 21:21:06,037 [INFO] Subprocess exit code: 0

2020-12-20 21:26:08,765 [INFO] We expected very strange situation: attack direction for XXX.XXX.XXX.38 was changed

2020-12-20 21:26:09,766 [INFO] We expected very strange situation: attack direction for XXX.XXX.XXX.38 was changed

2020-12-20 21:26:12,767 [INFO] We expected very strange situation: attack direction for XXX.XXX.XXX.36 was changed

2020-12-20 21:31:00,069 [ERROR] Attack to IP XXX.XXX.XXX.36 still going! We should not unblock this host

2020-12-20 21:31:00,069 [ERROR] Attack to IP XXX.XXX.XXX.38 still going! We should not unblock this host

And here is how it looks.....

FastNetMon 1.1.9 master git-bd0ca5bce1b3b886033779b9fd3ed49265962787 Try Advanced edition: https://fastnetmon.com

IPs ordered by: packets

Incoming traffic        106697 pps     69 mbps     46 flows

XXX.XXX.XXX.38           25310 pps     16 mbps      9 flows  *banned*

XXX.XXX.XXX.36           20508 pps     13 mbps      6 flows  *banned*

XXX.XXX.XXX.35           18812 pps     12 mbps      5 flows  *banned*

XXX.XXX.XXX.41           15444 pps     10 mbps      5 flows  *banned*

XXX.XXX.XXX.40            5020 pps      3 mbps      0 flows

XXX.XXX.XXX.37            4783 pps      3 mbps      0 flows

XXX.XXX.XXX.42            4513 pps      2 mbps      0 flows

Outgoing traffic         74805 pps     45 mbps     34 flows

XXX.XXX.XXX.38           21941 pps     13 mbps      8 flows  *banned*

XXX.XXX.XXX.36           15172 pps      9 mbps      4 flows  *banned*

XXX.XXX.XXX.41            9743 pps      5 mbps      2 flows  *banned*

XXX.XXX.XXX.35            8259 pps      5 mbps      2 flows  *banned*

XXX.XXX.XXX.40            3853 pps      2 mbps      0 flows

XXX.XXX.XXX.42            3797 pps      2 mbps      0 flows

XXX.XXX.XXX.37            3373 pps      2 mbps      0 flows

Internal traffic             0 pps      0 mbps

Other traffic                0 pps      0 mbps

Screen updated in:              0 sec 188 microseconds

Traffic calculated in:          0 sec 321 microseconds

Not processed packets: 0 pps

Jens

[Pavel Odintsov]

Hello!

That's expected to see attacks constantly because default thresholds are based on values per single server. They're 

https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.conf#L61

You just need to align them with peak traffic per each CGNAT IP.

FastNetMon is mostly a network automation tool and it needs input about your network. 

To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/d0759a77-0ee3-4f39-ae29-df253128be8en%40googlegroups.com.

[Jens Jönsson]

Okay,

Any recommendations for those numbers ?

:-) Jens

[Eduardo Schoedler]

Hi,

Em dom., 20 de dez. de 2020 às 19:17, Jens Jönsson <jens.j...@gmail.com> escreveu:

Okay,

Any recommendations for those numbers ?

Your network will tell you that.

Regards,

--

Eduardo Schoedler 

[Pavel Odintsov]

Hello!

Yep, threshold are very network specific and they're unique for each network. 

Typically, we recommend enabling InfluxDB / Graphite metrics export and then checking peak traffic over one week and then by multiplying this number by 100-200% you can get good value for baseline.

--

Follow us on social media: Twitter: https://twitter.com/fastnetmon | Facebook: https://www.facebook.com/fastnetmon/ | LinkedIn: https://www.linkedin.com/company/fastnetmon/
---
You received this message because you are subscribed to the Google Groups "FastNetMon user group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fastnetmon+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/CANwdvcLBWuKs%2Br-kupSD5LeR_qTG1zSsiPoN52Fi%2BG3Zm86YAA%40mail.gmail.com.

[Pavel Odintsov]

Hello!

One more thing! You may check our script for Advanced version as example: https://fastnetmon.com/docs-fnm-advanced/fastnetmon-naseline-calculation/