Open XioNoX opened 4 years ago
Hello!
Thank you for detailed report! Unfortunately, attack type detection logic in FastNetMon is extremely basic and does not cover full variety of attack types. In many cases it will be unknown.
Protocol detection logic is pretty reliable but it looks only on packets per second: https://github.com/pavel-odintsov/fastnetmon/blob/50d9706b0f7ce5ccb3a45b7c69d06b043688de67/src/fastnetmon.cpp#L3009
So, it does not check which thresholds was hit. When it sees more TCP traffic than other traffic types then it decides that this attack is TCP.
Thanks for your quick reply! Are there plans to make it more accurate?
Hello!
Sorry, no, we have no plans about it.
If you can explain your needs in details we can check possible options!
The goal is to make the notification emails accurate, so SREs receiving an email from FastNetMon can quickly identify what triggered it. We worked around the issue for now by rolling back our per protocols thresholds.
Hello!
Thank you for feedback! I've re-tagged ticket as enhancement and we will check what's our options to make it more reliable.
If you want to solve your issue please read following information below
First of all, please check following steps:
If it does not help, please fill information below:
Then please describe your issue as detailed as possible! Thanks you :)
Fastnetmon report some attack as "Attack type: unknown", "Attack protocol: tcp" while it's for example the ICMP pps threshold that is being hit. And all the other values (eg. TCP pps/bandwidth) are well under the limits. Eg. "Incoming icmp pps: 2020 packets per second". Before we bumped the threshold in https://github.com/wikimedia/puppet/commit/e7ad32b82748a11521551445548a5233528c49c4
This caused us some confusion as we were looking at TCP traffic only at first, based on the report.
We're tracking the issue in https://phabricator.wikimedia.org/T241374 as well.
Thanks!