You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Version, vendor name, model name and firmware of agent device: Cumulus Linux 4.3.1 running on Edge-Core AS7326-56X
I did not find any previously submitted issues about this particular problem
Description
Outbound IPv6 attacks are detected and acted on in spite of having set process_outgoing_traffic = off in fastnetmon.conf.
The FastNetMon log contains the following (anonymised):
We will log everything on console
[INFO] Logger initialized!
[INFO] Read configuration file
[INFO] We loaded 6 networks from networks file
[INFO] Totally we have 4 IPv4 subnets
[INFO] Totally we have 2 IPv6 subnets
[INFO] Total number of monitored hosts (total size of all networks): 9984
[INFO] We need 7 MB of memory for storing counters for your networks
[INFO] I will allocate 8192 records for subnet <snip> cidr mask: 19
[INFO] I will allocate 1024 records for subnet <snip> cidr mask: 22
[INFO] I will allocate 256 records for subnet <snip> cidr mask: 24
[INFO] I will allocate 512 records for subnet <snip> cidr mask: 23
[INFO] We start total zerofication of counters
[INFO] We finished zerofication
[INFO] We loaded 4 IPv4 subnets to our in-memory list of networks
[INFO] Launch API server
[INFO] API server listening on 127.0.0.1:50052
[INFO] Run banlist cleanup thread, we will awake every 60 seconds
[INFO] sflow: plugin started
[INFO] sflow: We parsed 1 ports for sflow
[INFO] sflow: We will listen on 1 ports
[INFO] sflow: plugin will listen on 0.0.0.0:6346 udp port
[INFO] Default sFlow receive buffer size: 212992 bytes
[INFO] We have detected IPv6 attack for 2001:0db8::0001/128 with packets per second threshold host group: global
[INFO] We run attack block code with following params in: 22352 pps 22 mbps out: 150257 pps 1565 mbps and we decided it's outgoing attack
[INFO] Enabled packet capture for IPv6 2001:0db8::0001
[INFO] We've filled circullar buffer for ip 2001:0db8::0001/128 with 1000 elements in raw_packets_circular_buffer and 1000 elements in parsed_packets_circular_buffer
[INFO] We've collected packets for 2001:0db8::0001/128 in 75.0735 seconds
[INFO] We've got new completely filled bucket with packets for IPv6 2001:0db8::0001/128
[INFO] IPv6 address 2001:0db8::0001/128 was banned
[INFO] Call script for ban client: 2001:0db8::0001
[INFO] Script for ban client is finished: 2001:0db8::0001
[INFO] Subprocess exit code: 0
As you can see, FastNetMon has, quote «decided it's outgoing attack». The notify_about_attack.sh was called with the arguments 2001:0db8::0001 outgoing 150257 ban.
If I run fastnetmon_client --ipv6, I can see that it does process outgoing traffic:
Outgoing traffic 253235 pps 2580 mbps
However, it does not print out any top-N list of IPv6 addresses below this line. It does show this top-N list if I set process_outgoing_traffic = on.
fastnetmon_client (without --ipv4) behaves differently, it simply says there is no outgoing traffic whatsoever:
Outgoing traffic 0 pps 0 mbps 0 flows
There are also no notifications (ban/unban actions) about outbound IPv4 attacks (but if I enable process_outgoing_traffic = on, there are plenty of them since the thresholds are set unrealistically low for testing purposes).
The text was updated successfully, but these errors were encountered:
Info requested in the issue template:
ghcr.io/pavel-odintsov/fastnetmon-community:latest
(image ID557cf1852ef7
, identifies as1.2.3 master git-fd4f232239fe6e872a6468bdd464f528490bde16
).Description
Outbound IPv6 attacks are detected and acted on in spite of having set
process_outgoing_traffic = off
infastnetmon.conf
.The FastNetMon log contains the following (anonymised):
As you can see, FastNetMon has, quote «decided it's outgoing attack». The
notify_about_attack.sh
was called with the arguments2001:0db8::0001 outgoing 150257 ban
.If I run
fastnetmon_client --ipv6
, I can see that it does process outgoing traffic:However, it does not print out any top-N list of IPv6 addresses below this line. It does show this top-N list if I set
process_outgoing_traffic = on
.fastnetmon_client
(without--ipv4
) behaves differently, it simply says there is no outgoing traffic whatsoever:There are also no notifications (ban/unban actions) about outbound IPv4 attacks (but if I enable
process_outgoing_traffic = on
, there are plenty of them since the thresholds are set unrealistically low for testing purposes).The text was updated successfully, but these errors were encountered: