search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.43k stars 568 forks source link

threshold_mbps is per subnet or per host basis? #676

Closed vishnubraj closed 6 years ago

vishnubraj commented 7 years ago

Hi,

The threshold_mbps config and lhr1_threshold_mbps(host group) in /etc/fastnetmon.conf is for a subnet or per host(/32) because i am using cisco routers with netflow v5. fastnetmon reports multiple /32 subnets reached above the threshold. But the total traffic in that particular pop is not more than the specified threshold. can you help me understand?

Regards, Vishnu

pavel-odintsov commented 7 years ago

Hello!

It's per host (per /32).

vishnubraj commented 7 years ago

I have the below configuration for pps/mbps in fastnetmon..

ban_for_pps = off threshold_pps = 2000000 threshold_mbps = 400

threshold_tcp_mbps = 400 threshold_udp_mbps = 400 threshold_icmp_mbps = 400 threshold_tcp_pps = 2000000 threshold_udp_pps = 2000000 threshold_icmp_pps = 2000000 ban_for_tcp_pps = off ban_for_udp_pps = off ban_for_icmp_pps = off lhr1_ban_for_pps = off lhr1_threshold_pps = 2000000 lhr1_threshold_mbps = 400 ash1_ban_for_pps = off ash1_threshold_pps = 2000000 ash1_threshold_mbps = 400

But it ban the ip saying "FastNetMon Guard: IP 217.163.52.4 blocked because incoming attack with power 126614 pps" also the traffic for the individual host is not more than 50mbps but the report says its 565 mbps.. Can you help me check the issue.

IP: 217.163.52.4 Attack type: udp_flood Initial attack power: 126614 packets per second Peak attack power: 126614 packets per second Attack direction: incoming Attack protocol: udp Total incoming traffic: 565 mbps Total outgoing traffic: 0 mbps Total incoming pps: 126614 packets per second Total outgoing pps: 0 packets per second Total incoming flows: 0 flows per second Total outgoing flows: 0 flows per second Average incoming traffic: 565 mbps Average outgoing traffic: 0 mbps Average incoming pps: 126614 packets per second Average outgoing pps: 0 packets per second Average incoming flows: 0 flows per second Average outgoing flows: 0 flows per second Incoming ip fragmented traffic: 0 mbps Outgoing ip fragmented traffic: 0 mbps Incoming ip fragmented pps: 0 packets per second Outgoing ip fragmented pps: 0 packets per second Incoming tcp traffic: 0 mbps Outgoing tcp traffic: 0 mbps Incoming tcp pps: 0 packets per second Outgoing tcp pps: 0 packets per second Incoming syn tcp traffic: 0 mbps Outgoing syn tcp traffic: 0 mbps Incoming syn tcp pps: 0 packets per second Outgoing syn tcp pps: 0 packets per second Incoming udp traffic: 565 mbps Outgoing udp traffic: 0 mbps Incoming udp pps: 126614 packets per second Outgoing udp pps: 0 packets per second Incoming icmp traffic: 0 mbps Outgoing icmp traffic: 0 mbps Incoming icmp pps: 0 packets per second Outgoing icmp pps: 0 packets per second

Average packet size for incoming traffic: 585.1 bytes Average packet size for outgoing traffic: 0.0 bytes

pavel-odintsov commented 7 years ago

What is your traffic capture method?

vishnubraj commented 7 years ago

its netflow = on

pavel-odintsov commented 7 years ago

Probably, you have incorrect configuration for traffic_recalculation_time.

If you could share whole netflow configuration from your device I could suggest best options.

vishnubraj commented 7 years ago

Please find the below configuration.

Router Configuration:

ip flow-export source Port-channel1.13 ip flow-export version 5 origin-as ip flow-export destination 10.0.201.32 9996 vrf core ip flow-export destination 10.0.201.42 9996 vrf core interface GigabitEthernet0/1/7 ip flow ingress ip flow egress

Fastnetmon Configuration

logging:local_syslog_logging = off logging:remote_syslog_logging = off logging:remote_syslog_server = 10.10.10.10 logging:remote_syslog_port = 514 enable_ban = on process_incoming_traffic = on process_outgoing_traffic = on ban_details_records_count = 5000 ban_time = 1900 unban_only_if_attack_finished = on enable_subnet_counters = off networks_list_path = /etc/networks_list white_list_path = /etc/networks_whitelist check_period = 1 enable_connection_tracking = off ban_for_pps = off ban_for_bandwidth = off ban_for_flows = off threshold_pps = 2000000 threshold_mbps = 400 threshold_flows = 2000000 threshold_tcp_mbps = 400 threshold_udp_mbps = 400 threshold_icmp_mbps = 400 threshold_tcp_pps = 2000000 threshold_udp_pps = 2000000 threshold_icmp_pps = 2000000 ban_for_tcp_bandwidth = on ban_for_udp_bandwidth = on ban_for_icmp_bandwidth = on ban_for_tcp_pps = off ban_for_udp_pps = off ban_for_icmp_pps = off mirror = off pfring_sampling_ratio = 1 mirror_netmap = off mirror_snabbswitch = off mirror_afpacket = off interfaces = eth0,eth1 netmap_sampling_ratio = 1 netmap_read_packet_length_from_ip_header = off pcap = off netflow = on sflow = on enable_pf_ring_zc_mode = off interfaces = eth0,eth1 average_calculation_time = 5 average_calculation_time_for_subnets = 20 netflow_port = 2055 netflow_host = 0.0.0.0 netflow_divide_counters_on_interval_length = off sflow_port = 6343 sflow_host = 0.0.0.0 notify_script_path = /usr/local/bin/notify_about_attack.sh notify_script_pass_details = on collect_attack_pcap_dumps = off process_pcap_attack_dumps_with_dpi = off redis_enabled = off redis_port = 6379 redis_host = 127.0.0.1 redis_prefix = mydc1 mongodb_enabled = off mongodb_host = localhost mongodb_port = 27017 mongodb_database_name = fastnetmon pfring_hardware_filters_enabled = off exabgp = off exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666 exabgp_next_hop = 10.0.3.114 exabgp_announce_host = on exabgp_announce_whole_subnet = off exabgp_flow_spec_announces = off gobgp = off gobgp_next_hop = 0.0.0.0 gobgp_announce_host = on gobgp_announce_whole_subnet = off graphite = off graphite_host = 127.0.0.1 graphite_port = 2003 graphite_prefix = fastnetmon monitor_local_ip_addresses = on hostgroup = lhr1:199.59.230.0/24,159.100.207.0/24,195.27.11.32/27,217.163.52.0/24,80.239.231.125/27,45.126.245.0/24,147.75.236.0/24 hostgroup = ash1:199.59.226.0/24,4.59.157.16/28,209.48.38.192/27,4.16.156.16/27,185.114.76.0/24 lhr1_enable_ban = on lhr1_ban_for_pps = off lhr1_ban_for_bandwidth = on lhr1_ban_for_flows = off lhr1_threshold_pps = 2000000 lhr1_threshold_mbps = 400 lhr1_threshold_flows = 2000000 ash1_enable_ban = on ash1_ban_for_pps = off ash1_ban_for_bandwidth = on ash1_ban_for_flows = off ash1_threshold_pps = 2000000 ash1_threshold_mbps = 400 ash1_threshold_flows = 2000000 pid_path = /var/run/fastnetmon.pid cli_stats_file_path = /tmp/fastnetmon.dat enable_api = off sort_parameter = packets max_ips_in_list = 7

pavel-odintsov commented 7 years ago

unfortunately, I do not see active/inactive timeouts. Probably, your vendor does not offer option to tune them. Please check the documentation or attach NetFlow data for 5-10 minutes to me.

vishnubraj commented 7 years ago

@pavel-odintsov can i send the pcap to your email address?

pavel-odintsov commented 7 years ago

pavel.odintsov@gmail.com, please

vishnubraj commented 7 years ago

Just send a mail..

pavel-odintsov commented 7 years ago

Hello!

Looks nice. I think you could use 30 seconds for traffic_recalculation_time to get reliable results.

On Fri, Jul 28, 2017 at 10:42 AM, vishnubraj notifications@github.com wrote:

Just send a mail..

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/676#issuecomment-318609229, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZvkqp9Qu94rCE44aW06rE5fj-Wbwks5sSazzgaJpZM4Ojewj .

-- Sincerely yours, Pavel Odintsov