Nerd blog.

01 Jan 2017

AS395089 - Fastnetmon

General AS Information

Hextet Systems (as395089) is a hobby/research ASN that I operate. It operates out of 1 datacenter in downtown Winnipeg (currently). One of the users of the IP space that Hextet Systems advertises via BGP is Coldhak who operates several Tor exit relays. These Tor exit relays attract the occasional retaliatory DDoS attack.

I also operate “IPv6 Tunnels for Nerds” from my routers and route various friends IPv6 space over MikroTik EoIP Tunnels. When DDoS attacks happen this causes the tunnels to become unusable, that is, until I installed Fastnetmon to automate the injection of BGP Blackhole routes to minimize the effects of DDoS attacks on the rest of my system (and my upstreams network).

Fastnetmon community edition

Fastnetmon is a “very fast DDoS analyzer with sflow/netflow/mirror support” (from the fastnetmon github project page).

For my uses it has a bunch of advantages:

  1. Free
  2. Very Fast
  3. Reasonable requirements
  4. Flexible
  5. BGP Support
  6. Vendor Neutral
  7. Works!
  8. ColoClue uses it! (Youtube talk & the slides for that talk: slides)

How Fastnetmon Works

Fastnetmon is able to look at traffic in numerous ways, including:

  • netflow
  • sflow
  • switch mirror port
  • and local packet capture

It is able to react in numerous ways, including:

  • injecting /32 routes into a system using BIRD, exabgp, or gobgp
  • injecting /24 routes into a system using BIRD (useful when only a single upstream is able to scrub for you)
  • running some commands on a MikroTik router using the API

How I’m Using Fastnetmon

I’m using IPFIX and injecting /32 routes into my system using exabgp. These have the 65535:666 standard BLACKHOLE community attached to them.

Blackholing, and then reporting on that blackhole happens automatically. This can involve anything that can be called by a shell script.

Some easy integrations include:

  • Email (built in)
  • SMS via twilio
  • Slack