Offer ability to specify different thresholds for incoming and outgoing attacks #285
Comments
|
any plans on supporting different thresholds for protocols ? udp/tcp/icmp? |
|
After some code rewrite I will support this too. It's not a big deal ;) Is it effective for mitigation in your practice? |
|
In my scenario where I am basically oferring http and https to the world, I'd love to have a more conservative threshold for tcp, and a much lower and more sensitive threshold for udp, specially on well know amplified ports such as dns/utp/ssdp/etc udp ports. Does that make sense ? |
|
I see it as this. We have global thresholds for pps/bps/fps for all So, do you need any way for detection source of attack detection? I.e. Do On Tuesday, June 16, 2015, Vicente De Luca notifications@github.com wrote:
Sincerely yours, Pavel Odintsov |
|
The global thresholds / protocol thresholds (optional/override) sounds perfect. 2nd question: source of attack its an good info in my case, as well distinguish which protocol the attack vectors is using. Both features allows us to trigger more specific countermeasure policies, giving more granularity to fight againts the DDoS in a less disruptive way. |
|
Roger! 2nd question is much complex. Because very often traffic going spoofed and when we get some traffic flow and try to block it we will block client. Sure, I have some ideas for spoofing mitigation and we could try it in your env. But we will need full forward full BGP table to FastNetMon, it could be an issue sometimes. |
|
Part of this feature is implemented: https://github.com/FastVPSEestiOu/fastnetmon/issues/65 :) |
|
if you can breakdown the same idea for protocols, giving us abilitity to specify different thresholds for tcp/udp/icmp, and group as well, will be more than perfect to cover mostly traffic patterns. |
|
Yep, It could be nice, I like this feature. But I need some refactoring for it.... |
|
Hello, folks! We have implemented per protocol thresholds here: https://github.com/FastVPSEestiOu/fastnetmon/issues/407 This ticket has another name and will alive until we decide what to do with it :) |
|
a simple option like ban_for_outgoing = off might help a lot. |
|
Issue with blocking fixed. Sorry :( |
|
Hello Pavel, |
|
Hello!
Of course you can. FastNetMon checks all thresholds for both direction of
traffic.
It's completely unrelated to flow spec.
|
|
The variables: process_outgoing_traffic, process_incoming_traffic, enable_ban, ban_for_bandwidth, which were enable. And threshold_mbps was set but ban action just applies to incoming traffic. Anything else needs to enable? |
|
You have to explicitly disable processing for incoming traffic if you need only outgoing: |
Thank you. |
|
If you need ban for incoming and outgoing then your configuration is
standard.
FastNetMon works this way by default. You do not need any changes for
proces_xxxx_traffic at all.
FastNetMon will use same thresholds for both directions.
On Sun, 26 May 2019 at 13:24, VanDuy91 ***@***.***> wrote:
You have to explicitly disable processing for incoming traffic if you need
only outgoing:
process_incoming_traffic = off
Thank you.
BTW, we can't ban outgoing and incoming traffic at the same time? It's an
inconvenience if we set process_incoming_traffic = off for incoming traffic
and vice versa.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#285?email_source=notifications&email_token=AAU56ZVV2AJBFKTASEFSXKLPXJ6PZA5CNFSM4BINHF7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWIEVAI#issuecomment-495995521>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAU56ZU7QIIM2SOJMMANRDDPXJ6PZANCNFSM4BINHF7A>
.
--
Sincerely yours, Pavel Odintsov
|
|
It's work. Thank you. |
|
Advanced version can do different thresholds for incoming and outgoing traffic: https://fastnetmon.com/docs-fnm-advanced/advanced-quick-start/ |
But in some cases we can't detect attack direction correctly.
The text was updated successfully, but these errors were encountered: