fastnetmon_flow_spec_fragmentation

In this repo you can find callback which allows you to block fragmnted traffic when FastNetMon detects attack with zero ports

To start please configure FastNetMon API

Then create file /etc/fastnetmon/fastnetmon_flow_spec_fragmentation.conf and put API credentials here:

{
  "api_user": "admin",
  "api_password": "put your password here",
  "api_host":  "127.0.0.1",
  "api_port": 10007
}

Then download binary file of integration and put it to /opt/fastnetmon_flow_spec_fragmentation and set chmod flag for it:

chmod +x /opt/fastnetmon_flow_spec_fragmentation

After that specify it on FastNetMon side as callback script:

sudo fcli set main notify_script_enabled enable
sudo fcli set main notify_script_format json
sudo fcli set main notify_script_path /opt/fastnetmon_flow_spec_fragmentation
sudo fcli commit

Try manually blocking following Flow Spec rule:

sudo fcli set flowspec  '{ "source_prefix": "4.0.0.0/32", "destination_prefix": "127.0.0.0/32", "destination_ports": [ 0 ], "source_ports": [ 0  ], "packet_lengths": [ 1500 ], "protocols": [ "udp" ], "action_type": "rate-limit", "action": { "rate": 1024 } }'

Then check that FastNetMon added supplementary Flow Spec announce:

sudo fcli show flowspec
{"action":{"rate":1024},"action_type":"rate-limit","destination_ports":[0],"destination_prefix":"127.0.0.0/32","packet_lengths":[1500],"protocols":["udp"],"source_ports":[0],"source_prefix":"4.0.0.0/32"} 30314e1f-d122-4f3f-8fcf-8cfbf3f7a427

{"action":{"rate":1024},"action_type":"rate-limit","destination_prefix":"127.0.0.0/32","fragmentation_flags":["is-fragment"],"protocols":["udp"],"source_prefix":"4.0.0.0/32"} c07ec922-76a6-40f0-accb-f7fcca2527c4

Then remove main announce;

sudo fcli delete flowspec 30314e1f-d122-4f3f-8fcf-8cfbf3f7a427

And check that FastNetMon removed supplementary on too.

sudo fcli show flowspec