4 comments

[ 2.6 ms ] story [ 23.0 ms ] thread
Thank you for sharing! I'm one of the FastNetMon authors and I will be happy to answer any questions about it.
Hello! What kind of strategies do you use to detect false positives? What advice would you give to avoid them?
Thank you for great question! Unfortunately, false positive alerts are pretty common problem. FastNetMon is threshold / baseline based DDoS detection engine and it requires pretty careful baseline calculation.

Typically, we recommend enabling InfluxDB metrics export for ~1 week (to cover peak times in your region), you can do it this way: https://fastnetmon.com/docs/influxdb_integration/

After that, you can make query to detect peak traffic for packets per second, bytes per second and flow per second metrics. Then you can multiply these value to 2-3 (depends on your capacity) and use as baseline.

Also, it's very good to known limits of your network. For example, if you know that router cannot handle more than 1M packets per second then you need to set threshold way before it. And most important thing is mount of spare capacity from your upstream. If you have only 10G of external capacity utilised up to 90% then your baseline should not exceed amount of your spare capacity.

FastNetMon is a life saver. First installed it when there was no paid / advanced version just to blackhole hosts under attack. Then negotiated with our upstream provider to have BGP Flowspec support e.g. block specific types of traffic.

Back then, UDP Amplification attacks were scariest of them all and FastNetMon was able to send Flowspec announcements to our upstream to block, for instance, traffic to UDP/53 port, which kept the host alive most of the times.