-
Notifications
You must be signed in to change notification settings - Fork 462
FastNetMon
Thomas Mangin edited this page Nov 15, 2025
·
1 revision
FastNetMon is a high-performance DDoS detection system that can integrate with ExaBGP to automatically deploy FlowSpec rules for attack mitigation. This guide covers how to set up and use FastNetMon with ExaBGP.
- Overview
- Architecture
- Installation
- FastNetMon Configuration
- ExaBGP Configuration
- Attack Detection and Mitigation
- FlowSpec Rule Generation
- Custom Integration Scripts
- Monitoring and Logging
- Best Practices
- Troubleshooting
- See Also
Important: ExaBGP does NOT manipulate the routing table (RIB/FIB). When integrated with FastNetMon, ExaBGP announces FlowSpec rules to BGP routers, which then filter traffic according to the rules. The actual traffic filtering happens at the routers, not on the ExaBGP host.
FastNetMon provides:
- Real-time traffic analysis (using netflow, sflow, or packet capture)
- DDoS attack detection
- Attack pattern recognition
- Traffic statistics
ExaBGP provides:
- FlowSpec rule announcement via BGP
- Dynamic route control
- Integration with existing BGP infrastructure
Together: Automatic DDoS mitigation by detecting attacks (FastNetMon) and deploying FlowSpec blocking rules (ExaBGP).
βββββββββββββββββββββββ
β Network Traffic β
β (Netflow/sFlow) β
ββββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββββ
β FastNetMon β 1. Detects attack
β (Attack Detection) β 2. Triggers script
ββββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββββ
β Integration Script β 3. Generates FlowSpec rule
β (Python/Bash) β 4. Sends to ExaBGP API
ββββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββββ
β ExaBGP β 5. Announces FlowSpec via BGP
ββββββββββββ¬βββββββββββ
β
βΌ
βββββββββββββββββββββββ
β BGP Routers β 6. Apply traffic filtering
β (Cisco/Juniper) β
βββββββββββββββββββββββ
ββββββββββββββββ
β FastNetMon β
β + ExaBGP β
ββββββββ¬ββββββββ
β BGP FlowSpec
β
βββββββββββββββββΌββββββββββββββββ
β β β
ββββββββΌβββββ ββββββββΌβββββ ββββββββΌβββββ
β Router 1 β β Router 2 β β Router 3 β
β (Edge) β β (Edge) β β (Edge) β
βββββββββββββ βββββββββββββ βββββββββββββ
β β β
βββββββββββββββββΌββββββββββββββββ
β
ββββββββΌββββββββ
β Internet β
ββββββββββββββββ
# Ubuntu/Debian
curl https://install.fastnetmon.com/installer -o fastnetmon_installer
sudo bash fastnetmon_installer
# CentOS/RHEL
curl https://install.fastnetmon.com/installer -o fastnetmon_installer
sudo bash fastnetmon_installer# Via pip
pip3 install exabgp
# Or from source
git clone https://github.com/Exa-Networks/exabgp.git
cd exabgp
pip3 install .# Check FastNetMon
fastnetmon --version
# Check ExaBGP
exabgp --version# /etc/fastnetmon.conf
# Network to monitor (your IP ranges)
networks_list_path = /etc/networks_list
# Enable BGP integration
enable_ban_for_tcp_syn_flood = on
enable_ban_for_udp_flood = on
enable_ban_for_icmp_flood = on
# BGP FlowSpec integration
exabgp = on
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
# Attack thresholds
ban_for_pps = off
ban_for_bandwidth = on
threshold_mbps = 1000
# Attack detection
threshold_pps = 20000
threshold_flows = 3500
# Notification script
notify_script_path = /etc/fastnetmon/scripts/notify.sh# /etc/networks_list
# Networks to monitor
198.51.100.0/24
203.0.113.0/24# /etc/fastnetmon.conf
# Enable ExaBGP integration
exabgp = on
# ExaBGP command pipe
exabgp_command_pipe = /var/run/exabgp.cmd
# FlowSpec community tag
exabgp_community = 65001:666
# FlowSpec next-hop
exabgp_next_hop = 192.0.2.1
# FlowSpec announce host
exabgp_flow_spec_announces = on# /etc/exabgp/exabgp.conf
# Process to receive commands from FastNetMon
process fastnetmon {
run /usr/bin/mkfifo /var/run/exabgp.cmd && /bin/cat /var/run/exabgp.cmd;
encoder text;
}
# BGP neighbor (your edge router)
neighbor 192.0.2.1 {
router-id 192.0.2.10;
local-address 192.0.2.10;
local-as 65001;
peer-as 65001;
# FlowSpec capability
family {
ipv4 flow;
ipv6 flow;
}
# API for FastNetMon
api {
processes [ fastnetmon ];
}
}# Create named pipe for FastNetMon -> ExaBGP communication
sudo mkfifo /var/run/exabgp.cmd
sudo chown exabgp:exabgp /var/run/exabgp.cmd
sudo chmod 660 /var/run/exabgp.cmd# /etc/systemd/system/exabgp-pipe.service
[Unit]
Description=ExaBGP Named Pipe
Before=exabgp.service
[Service]
Type=oneshot
ExecStart=/usr/bin/mkfifo -m 660 /var/run/exabgp.cmd
ExecStart=/bin/chown exabgp:exabgp /var/run/exabgp.cmd
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetFastNetMon continuously analyzes traffic and detects attacks based on:
- PPS (Packets Per Second) thresholds
- Bandwidth thresholds
- Flow count thresholds
- Protocol-specific patterns (SYN flood, UDP flood, etc.)
1. FastNetMon detects attack
β
2. FastNetMon generates FlowSpec rule
β
3. FastNetMon writes rule to /var/run/exabgp.cmd
β
4. ExaBGP reads rule from named pipe
β
5. ExaBGP announces FlowSpec rule via BGP
β
6. Edge routers receive FlowSpec rule
β
7. Edge routers filter attack traffic
Attack detected:
- Target: 198.51.100.50
- Protocol: UDP
- Rate: 15 Gbps
- PPS: 2.5M packets/sec
FastNetMon generates FlowSpec rule:
- Match: destination=198.51.100.50/32, protocol=UDP
- Action: rate-limit 100mbps
ExaBGP announces rule to edge routers
Edge routers rate-limit UDP traffic to 198.51.100.50
When FastNetMon detects an attack, it writes FlowSpec rules to the ExaBGP pipe:
# Example FlowSpec rule sent by FastNetMon
announce flow route {
match {
destination 198.51.100.50/32;
protocol udp;
}
then {
discard;
}
}FastNetMon can generate various FlowSpec actions:
# Discard (drop all matching traffic)
then { discard; }
# Rate-limit (limit to specific bandwidth)
then { rate-limit 9600; } # 9600 bytes/sec
# Redirect to scrubbing center
then { redirect 65001:100; }
# Mark traffic
then { mark 100; }You can customize FlowSpec rules in FastNetMon:
# /etc/fastnetmon/flowspec_templates.conf
# UDP flood template
udp_flood:
match:
- destination: $TARGET_IP/32
- protocol: udp
then:
- rate-limit: 100000
# SYN flood template
syn_flood:
match:
- destination: $TARGET_IP/32
- protocol: tcp
- tcp-flags: syn
then:
- discard
# ICMP flood template
icmp_flood:
match:
- destination: $TARGET_IP/32
- protocol: icmp
then:
- rate-limit: 10000#!/usr/bin/env python3
# /etc/fastnetmon/scripts/exabgp-integration.py
import sys
import os
import json
# Configuration
EXABGP_PIPE = "/var/run/exabgp.cmd"
COMMUNITY = "65001:666"
def send_flowspec_rule(target_ip, protocol, action):
"""Send FlowSpec rule to ExaBGP"""
# Build FlowSpec rule
if protocol == "udp":
rule = f"""announce flow route {{
match {{
destination {target_ip}/32;
protocol udp;
}}
then {{
{action};
}}
}}"""
elif protocol == "tcp_syn":
rule = f"""announce flow route {{
match {{
destination {target_ip}/32;
protocol tcp;
tcp-flags syn;
}}
then {{
{action};
}}
}}"""
elif protocol == "icmp":
rule = f"""announce flow route {{
match {{
destination {target_ip}/32;
protocol icmp;
}}
then {{
{action};
}}
}}"""
else:
rule = f"""announce flow route {{
match {{
destination {target_ip}/32;
}}
then {{
{action};
}}
}}"""
# Write to ExaBGP pipe
try:
with open(EXABGP_PIPE, 'w') as pipe:
pipe.write(rule + "\n")
pipe.flush()
sys.stderr.write(f"FlowSpec rule sent for {target_ip} ({protocol})\n")
return True
except Exception as e:
sys.stderr.write(f"Error sending FlowSpec rule: {e}\n")
return False
def main():
# FastNetMon passes attack data as arguments or environment variables
target_ip = os.environ.get('ATTACK_TARGET_IP', sys.argv[1] if len(sys.argv) > 1 else None)
attack_type = os.environ.get('ATTACK_TYPE', sys.argv[2] if len(sys.argv) > 2 else 'unknown')
attack_power = os.environ.get('ATTACK_POWER', sys.argv[3] if len(sys.argv) > 3 else '0')
if not target_ip:
sys.stderr.write("Error: No target IP specified\n")
sys.exit(1)
# Determine action based on attack power
attack_mbps = int(attack_power) if attack_power.isdigit() else 0
if attack_mbps > 10000:
action = "discard" # Drop all traffic for massive attacks
elif attack_mbps > 1000:
action = "rate-limit 100000" # Rate limit to 100 Mbps
else:
action = "rate-limit 10000" # Rate limit to 10 Mbps
# Send FlowSpec rule
protocol_map = {
'udp_flood': 'udp',
'syn_flood': 'tcp_syn',
'icmp_flood': 'icmp',
}
protocol = protocol_map.get(attack_type, 'unknown')
send_flowspec_rule(target_ip, protocol, action)
# Log attack
sys.stderr.write(f"Attack detected: {target_ip} - {attack_type} - {attack_mbps} Mbps\n")
if __name__ == "__main__":
main()#!/bin/bash
# /etc/fastnetmon/scripts/exabgp-integration.sh
EXABGP_PIPE="/var/run/exabgp.cmd"
TARGET_IP="$1"
ATTACK_TYPE="$2"
ATTACK_POWER="$3"
# Validate input
if [ -z "$TARGET_IP" ]; then
echo "Error: No target IP specified" >&2
exit 1
fi
# Generate FlowSpec rule based on attack type
case "$ATTACK_TYPE" in
udp_flood)
RULE="announce flow route { match { destination ${TARGET_IP}/32; protocol udp; } then { discard; } }"
;;
syn_flood)
RULE="announce flow route { match { destination ${TARGET_IP}/32; protocol tcp; tcp-flags syn; } then { discard; } }"
;;
icmp_flood)
RULE="announce flow route { match { destination ${TARGET_IP}/32; protocol icmp; } then { rate-limit 9600; } }"
;;
*)
RULE="announce flow route { match { destination ${TARGET_IP}/32; } then { discard; } }"
;;
esac
# Send to ExaBGP
echo "$RULE" > "$EXABGP_PIPE"
# Log
echo "$(date): FlowSpec rule sent for $TARGET_IP ($ATTACK_TYPE, $ATTACK_POWER Mbps)" >&2#!/usr/bin/env python3
# /etc/fastnetmon/scripts/exabgp-unban.py
import sys
import os
EXABGP_PIPE = "/var/run/exabgp.cmd"
def withdraw_flowspec_rule(target_ip, protocol):
"""Withdraw FlowSpec rule from ExaBGP"""
if protocol == "udp":
rule = f"""withdraw flow route {{
match {{
destination {target_ip}/32;
protocol udp;
}}
}}"""
elif protocol == "tcp_syn":
rule = f"""withdraw flow route {{
match {{
destination {target_ip}/32;
protocol tcp;
tcp-flags syn;
}}
}}"""
else:
rule = f"""withdraw flow route {{
match {{
destination {target_ip}/32;
}}
}}"""
try:
with open(EXABGP_PIPE, 'w') as pipe:
pipe.write(rule + "\n")
pipe.flush()
sys.stderr.write(f"FlowSpec rule withdrawn for {target_ip}\n")
return True
except Exception as e:
sys.stderr.write(f"Error withdrawing FlowSpec rule: {e}\n")
return False
if __name__ == "__main__":
target_ip = sys.argv[1] if len(sys.argv) > 1 else None
protocol = sys.argv[2] if len(sys.argv) > 2 else "all"
if target_ip:
withdraw_flowspec_rule(target_ip, protocol)# View FastNetMon logs
sudo tail -f /var/log/fastnetmon.log
# Filter for attack detections
sudo tail -f /var/log/fastnetmon.log | grep -i attack
# Filter for BGP/FlowSpec announcements
sudo tail -f /var/log/fastnetmon.log | grep -i "exabgp\|flowspec"# View ExaBGP logs
sudo tail -f /var/log/exabgp/exabgp.log
# Filter for FlowSpec announcements
sudo tail -f /var/log/exabgp/exabgp.log | grep -i "flow\|announce"#!/bin/bash
# /usr/local/bin/monitor-ddos-mitigation.sh
echo "=== DDoS Mitigation Monitor ==="
echo ""
# FastNetMon status
echo "FastNetMon Status:"
systemctl status fastnetmon --no-pager | grep "Active:"
echo ""
# ExaBGP status
echo "ExaBGP Status:"
systemctl status exabgp --no-pager | grep "Active:"
echo ""
# Recent attacks
echo "Recent Attacks (last 10):"
tail -20 /var/log/fastnetmon.log | grep "Attack" | tail -10
echo ""
# Active FlowSpec rules
echo "Active FlowSpec Rules:"
grep "announce flow" /var/log/exabgp/exabgp.log | tail -10
echo ""Verify your routers support FlowSpec:
# Cisco IOS XR
show bgp flow ipv4 unicast summary
# Juniper Junos
show route table inetflow.0# Prefer rate-limiting for small attacks
then { rate-limit 100000; }
# Use discard only for massive attacks
then { discard; }# /etc/fastnetmon.conf
# Avoid false positives
threshold_mbps = 1000 # 1 Gbps
threshold_pps = 20000 # 20K PPS
# Adjust based on your network baseline# /etc/fastnetmon.conf
# Automatically unban after timeout
ban_time = 1900 # 1900 seconds (31 minutes)
# Unban script
unban_script_path = /etc/fastnetmon/scripts/exabgp-unban.py# Review blocked traffic regularly
# Whitelist legitimate high-volume sources# Tag FlowSpec rules with communities
exabgp_community = 65001:666
# Routers can match on community for special handlingSymptoms: FastNetMon detects attacks but ExaBGP doesn't announce FlowSpec rules.
Solutions:
- Check named pipe exists:
ls -la /var/run/exabgp.cmd- Verify ExaBGP is reading from pipe:
tail -f /var/log/exabgp/exabgp.log | grep pipe- Test writing to pipe manually:
echo "announce flow route { match { destination 198.51.100.50/32; } then { discard; } }" > /var/run/exabgp.cmdSymptoms: FlowSpec rules announced but traffic not filtered.
Solutions:
- Verify FlowSpec capability in BGP session:
# Check ExaBGP logs
grep "flow" /var/log/exabgp/exabgp.log- Check router FlowSpec configuration:
# Cisco: Enable FlowSpec
router bgp 65001
address-family ipv4 flowspec
neighbor 192.0.2.10 activate
- Verify FlowSpec rules on router:
show bgp ipv4 flowspec
Symptoms: Legitimate traffic being blocked.
Solutions:
- Increase thresholds:
# /etc/fastnetmon.conf
threshold_mbps = 5000
threshold_pps = 50000- Whitelist IP ranges:
# /etc/fastnetmon_whitelist.conf
198.51.100.0/24
203.0.113.0/24- Use more specific FlowSpec rules:
# Instead of blocking all traffic, rate-limit specific ports
match { destination 198.51.100.50/32; destination-port =80; }- FlowSpec Overview - FlowSpec documentation
- DDoS Mitigation - DDoS mitigation patterns
- API Overview - ExaBGP API documentation
- Match Conditions - FlowSpec match conditions
- Actions Reference - FlowSpec actions
π» Ghost written by Claude (Anthropic AI)
π Home
π Getting Started
π§ API
π‘οΈ Use Cases
π Address Families
βοΈ Configuration
π Operations
π Reference
- Architecture
- BGP State Machine
- Communities (RFC)
- Extended Communities
- BGP Ecosystem
- Capabilities (AFI/SAFI)
- RFC Support
π Migration
π Community
π External
- GitHub Repo β
- Slack β
- Issues β
π» Ghost written by Claude (Anthropic AI)