Home Installation and Configuration Flexible Thresholds and Traffic Rules in FNM Manager

Flexible Thresholds and Traffic Rules in FNM Manager

Last updated on Jan 21, 2025

Flexible Thresholds and Traffic Rules in FNM Manager

Introduction

FastNetMon includes a "Flexible Thresholds" functionality that allows network administrators to configure specific rules to detect traffic patterns. FNM Manager simplifies the configuration of this functionality, making it easier to create Traffic Rules and customized thresholds for each Hostgroup. This tool is especially useful for identifying and mitigating volumetric attacks, such as those based on amplified protocols (NTP, DNS, DHCP, among others).

Configuring Flexible Thresholds in FNM Manager

The Flexible Thresholds functionality allows users to define up to 10 specific traffic patterns due to resource limitations in FastNetMon. The most commonly used protocols to detect and mitigate volumetric attacks are:

  • DNS (UDP 53)

  • NTP (UDP 123)

  • DHCP (UDP 67 and 68)

  • Chargen (UDP 19)

  • SNMP (UDP 161)

  • Additional protocols like BGP, MT_API, and MT_Winbox.

Steps to Configure Flexible Thresholds:

  1. Settings Configuration:

    • Navigate to Traffic Rules > Advanced Settings.

    • Enable the "Enable Flexible Counters" option to allow customized threshold configuration.

  2. Protocol Selection:

    • In the "Default Amplification Vectors" field, select the relevant protocols. Common examples include DNS, NTP,TFTP, DHCP, Chargen, and SNMP.

  3. Creating Traffic Rules:

    • FNM Manager will automatically create traffic rules for the selected patterns. For example:

      • DNS: UDP 53

      • NTP: UDP 123

      • DHCP: UDP 67 and 68

      • TFTP: UDP 69

      • Chargen: UDP 19

      • SNMP: UDP 161

Configuring Hostgroups

After adding the traffic rules (Traffic Rules), the next step is to configure the customized thresholds for each Hostgroup based on the selected patterns. These thresholds enable more precise and tailored mitigation according to each network segment's requirements.

Recommendations:

  • Set a minimum of 1000 PPS for NTPDNS, and Chargen, as these are the most common in volumetric attacks.

  • Adjust the Mbps and PPS thresholds based on the typical traffic behavior in the network to avoid false positives.

Benefits of Flexible Thresholds

  1. Custom Detection: Identifies specific malicious traffic patterns, such as NTP or DNS amplification attacks.

  2. Efficient Mitigation: Customized thresholds block anomalous traffic before it impacts the network.

  3. Simplified Configuration: FNM Manager automates the creation of traffic rules and thresholds.

  4. Granular Control: Hostgroups allow tailored configurations for each network segment.

Best Practices

  • Select only the most relevant protocols for your network.

  • Adjust the PPS and Mbps thresholds to reflect typical network traffic behavior, avoiding false positives.

  • Use "bgp_flow_spec" if your network supports this functionality for more robust mitigation.