Detection/Mitigation capabilities
75 views
Skip to first unread message
GG
Jan 13, 2021, 6:30:32 PM1/13/21
to FastNetMon user group
Hi Pavel,
The docs indicates the following detection capabilities
- Flexible detection engine with support for DoS/DDoS attack types: amplification (NTP, SNMP, SSDP, DNS, GRE, chargen and other), floods (UDP, TCP, ICMP), attacks on tcp protocol (syn, syn-ack, fin floods), attacks on IP protocol (fragmented packets) and other. Including support for multi-vector attacks.
How's FNM capable of detecting reflection attacks? I don't see any threshold settings for those types of attack.
Regards,
GG
Pavel Odintsov
Jan 13, 2021, 6:41:53 PM1/13/21
to GG, FastNetMon user group
Hello!
These attack types can be detected by Flow Spec detection engine. You can check details about it here: https://fastnetmon.com/fastnetmon-flow-spec-mitigation-mode-algorithm-details/
For blackhole mode we have no special logic to detect them, it's only threshold bases.
--
Follow us on social media: Twitter: https://twitter.com/fastnetmon | Facebook: https://www.facebook.com/fastnetmon/ | LinkedIn: https://www.linkedin.com/company/fastnetmon/
---
You received this message because you are subscribed to the Google Groups "FastNetMon user group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fastnetmon+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/67e3f06b-c914-4585-bffd-22c52da460a6n%40googlegroups.com.
--
Pavel Odintsov
gaston gutierrez
Jan 13, 2021, 7:35:08 PM1/13/21
to Pavel Odintsov, FastNetMon user group
So Flowspec mode can detect threshold based attacks as well? So would it be possible to set fastnetmon in Flowspec mode for the most complete detection engine, and trigger blackholes externally checking pps/mbps metrics through the API? Would that be the current way to enable all detection and mitigation features at the same time?
Pavel Odintsov
Jan 13, 2021, 7:39:19 PM1/13/21
to gaston gutierrez, FastNetMon user group
Hello!
No, you cannot use it this way. Even flow spec mode requires threshold for initial capture to collect sample which will be processed by flow spec detection engine. There are no magic way to detect attack, you still need thresholds.
We have plans about adding more thresholds and making them more flexible:
Pavel Odintsov
gaston gutierrez
Jan 13, 2021, 7:46:55 PM1/13/21
to Pavel Odintsov, FastNetMon user group
Pavel,
I think I didn't make myself clear. What I meant is we should be able to enable flowpsec mode, and detect floods, reflections, etc, and trigger flowspec advertisements to mitigate those attacks. And then have an external script triggering BGP blackhole routes (not flowspec) with custom thresholds, checking mbps/pps metrics through the API.
gaston gutierrez
Jan 13, 2021, 7:52:28 PM1/13/21
to Pavel Odintsov, FastNetMon user group
Or perhaps that can't be done because pps/mbps metric for all flows are not exposed through the API...
Pavel Odintsov
Jan 13, 2021, 8:01:32 PM1/13/21
to gaston gutierrez, FastNetMon user group
Hello!
We have escalation logic implementation
It uses API call to track bandwidth usage and then uses escalation.
Per flow traffic rates are not exposed because we do not calculate them. We calculate them only when specific host exceeded threshold.
Pavel Odintsov
GG
Jan 15, 2021, 5:03:08 PM1/15/21
to FastNetMon user group
Pavel,
How can FNM detect reflection attacks (DNS, NTP, etc.) when using SFlow as input for detection, and in Flowspec mode? According to the Docs Flowspec mode detection engine only uses L3/L4 information, so this would mean FNM is not considering DNS/NTP headers for detection (e.g. using GET_MONLIST command for NTP reflection attacks)? Is reflection attack detection with Sflow input and flowspec mode something available in the community version so that I can read the source code and understand how it's doing it? If not, can you provide a description of how that works?
Regards,
GG
Pavel Odintsov
Jan 15, 2021, 5:37:48 PM1/15/21
to GG, FastNetMon user group
Hello!
FastNetMon can detect these attack only if you set thresholds for them using following available thresholds
That’s only available detection logic. sFlow, Netflow and even SPAN offer exactly same detection capabilities. There are no differences between them.
Flow spec mode is not a magic, it’s just more flexible detection engine which runs after attack detection via threshold specified by you. After that, it tried to find anomalies. That’s how it can defend agains amplification attack types or any kind of L3 / L4 attacks.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/76e0c0a5-c1ec-44ae-8adf-1ed750363a2bn%40googlegroups.com.
Pavel Odintsov
Reply all
Reply to author
Forward
0 new messages