search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.4k stars 561 forks source link

Feature request: Process outgoing traffic but don't ban #562

Open zenvdeluca opened 8 years ago

zenvdeluca commented 8 years ago

Currently we have a global parameter that allow us to enable/disable outgoing traffic processing

process_outgoing_traffic = on/off

unfortunately its not possible to have graphite data for outgoing traffic while not taking any ban actions in case outgoing gets above threshold.

in my case I have a wrapper (net healer) that gets FNM bans as inputs to take decisions. my wrapper ignores all the outgoing bans that FNM spits. there was a situation here a layer7 attack (HTTP POST) made my /32 prefix outgoing bandwidth increase above threshold, so FNM banned (outgoing) and my wrapper ignored.

Note: I always use unban timer = 30 seconds.

so I kept receiving outgoing BAN feeds from FNM (and ignoring them) -- because outgoing as above the threshold.

a flag that allow us to disable ban for outgoing (while still process traffic) will help us a lot here, so we can still have graphite history data, but don't take any ban action in case outgoing is above threshold.

such as:

Enable/Disable any actions in case of attack (options: on/off/incoming)

enable_ban = incoming

pavel-odintsov commented 7 years ago

Nice idea! I like it!