FastNetMon 使用笔记

FastNetMon 使用笔记

FastNetMon是一个高性能的DoS/DDoS检测工具:
支持多种抓包引擎: netmap, PF_RING, PCAP, AF_PACKET, AF_XDP;;
支持多种流量解析: NetFlow v5, v9, IPFIX, sFLOW v4, v5, Port mirror/SPAN;
支持BGP联动: ExaBGP, GoBGP;
支持黑洞模式 & BGP Flow spec 模式;
支持 Redis, MongoDB, Grafana & InfluxDB 集成;
支持告警联动: 邮件, python, bash script 等;
支持gRPC api;

fastnetmon github
FastNetMon Official site

Download & Install

RPM

CentOS RPM
CentOS-8

wget https://community-downloads.fastnetmon.com/releases/1.1.6/centos/8/fastnetmon-1.1.6-1.el8.x86_64.rpm
rpm -ivh fastnetmon-1.1.6-1.el8.x86_64.rpm

script

wget https://raw.githubusercontent.com/pavel-odintsov/fastnetmon/master/src/fastnetmon_install.pl -Ofastnetmon_install.pl 
sudo perl fastnetmon_install.pl

Configure

/etc/networks_list

配置监控的主机网段CIDR:

222.X.X.X/24

/etc/fastnetmon.conf

攻击检测阈值

根据实际业务流量进行调整:

# Different approaches to attack detection
ban_for_pps = on
ban_for_bandwidth = on
ban_for_flows = off

# Limits for Dos/DDoS attacks
threshold_pps = 1000
threshold_mbps = 50
threshold_flows = 3500

# Per protocol attack thresholds
# We don't implement per protocol flow limits, sorry :(
# These limits should be smaller than global pps/mbps limits

threshold_tcp_mbps = 50
threshold_udp_mbps = 50
threshold_icmp_mbps = 10

threshold_tcp_pps = 10000
threshold_udp_pps = 20000
threshold_icmp_pps = 1000

ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off

ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off 

基础配置

启用 mirror 模式并配置收包引擎: mirror_afpacket 或 pcap.

mirror = on 
# mirror_afpacket or pcap
mirror_afpacket = on
pcap = on

配置监控接口, 支持多个接口:

interfaces = eth3

启用连接跟踪:

enable_connection_tracking = on

禁用监控本地接口地址:

monitor_local_ip_addresses = off

配置监控主机数目:

max_ips_in_list = 32

fastnetmon

/opt/fastnetmon/fastnetmon

or

systemctl restart fastnetmon

fastnetmon_client

Reference

Documentation FastNetMon Advanced
FastNetMon Advanced configuration options
Comparing Ring-buffer–based Packet capture solutions