pavel-odintsov
commented
4 years ago Hello!
Thank you for detailed report! Unfortunately, attack type detection logic in FastNetMon is extremely basic and does not cover full variety of attack types. In many cases it will be unknown.
Protocol detection logic is pretty reliable but it looks only on packets per second: https://github.com/pavel-odintsov/fastnetmon/blob/50d9706b0f7ce5ccb3a45b7c69d06b043688de67/src/fastnetmon.cpp#L3009
So, it does not check which thresholds was hit. When it sees more TCP traffic than other traffic types then it decides that this attack is TCP.
XioNoX
If you want to solve your issue please read following information below
First of all, please check following steps:
If it does not help, please fill information below:
Then please describe your issue as detailed as possible! Thanks you :)
Fastnetmon report some attack as "Attack type: unknown", "Attack protocol: tcp" while it's for example the ICMP pps threshold that is being hit. And all the other values (eg. TCP pps/bandwidth) are well under the limits. Eg. "Incoming icmp pps: 2020 packets per second". Before we bumped the threshold in https://github.com/wikimedia/puppet/commit/e7ad32b82748a11521551445548a5233528c49c4
This caused us some confusion as we were looking at TCP traffic only at first, based on the report.
We're tracking the issue in https://phabricator.wikimedia.org/T241374 as well.
Thanks!