fastnetmon misreports attack type and protocol #787
Comments
|
Hello! Thank you for detailed report! Unfortunately, attack type detection logic in FastNetMon is extremely basic and does not cover full variety of attack types. In many cases it will be unknown. Protocol detection logic is pretty reliable but it looks only on packets per second: Line 3009 in 50d9706 So, it does not check which thresholds was hit. When it sees more TCP traffic than other traffic types then it decides that this attack is TCP. |
|
Thanks for your quick reply! Are there plans to make it more accurate? |
|
Hello! Sorry, no, we have no plans about it. |
|
If you can explain your needs in details we can check possible options! |
|
The goal is to make the notification emails accurate, so SREs receiving an email from FastNetMon can quickly identify what triggered it. |
|
Hello! Thank you for feedback! I've re-tagged ticket as enhancement and we will check what's our options to make it more reliable. |
If you want to solve your issue please read following information below
First of all, please check following steps:
We're running 1.1.3
None than I can find
If it does not help, please fill information below:
Debian 10
https://github.com/wikimedia/puppet/blob/production/modules/fastnetmon/templates/fastnetmon.conf.erb
Netflow
Then please describe your issue as detailed as possible! Thanks you :)
Fastnetmon report some attack as "Attack type: unknown", "Attack protocol: tcp" while it's for example the ICMP pps threshold that is being hit. And all the other values (eg. TCP pps/bandwidth) are well under the limits.
Eg. "Incoming icmp pps: 2020 packets per second".
Before we bumped the threshold in wikimedia/operations-puppet@e7ad32b
This caused us some confusion as we were looking at TCP traffic only at first, based on the report.
We're tracking the issue in https://phabricator.wikimedia.org/T241374 as well.
Thanks!
The text was updated successfully, but these errors were encountered: