Listen to this Post
Introduction:
In an era where network infrastructure faces increasingly sophisticated distributed denial-of-service (DDoS) attacks and BGP routing anomalies, security teams require tools that offer both granular visibility and rapid response capabilities. The recent launch of Netomics—an advanced AS-SET lookup and BGP intelligence platform—alongside FastNetMon LiveView, a real-time web interface for DDoS detection and network analytics, marks a significant step forward in operational network security. These complementary solutions empower network operators to move from reactive troubleshooting to proactive threat hunting, providing unified dashboards, historical attack analysis, and streamlined configuration management.
Learning Objectives:
- Understand how Netomics enables rapid AS-SET enumeration, BGP origin validation, and IP-to-ASN mapping for enhanced network intelligence.
- Master the deployment and configuration of FastNetMon LiveView to gain real-time traffic visibility, DDoS event tracking, and web-based operational control.
- Learn to implement DDoS mitigation strategies, configure detection thresholds, and integrate alerting mechanisms using LiveView’s management interface.
- Explore best practices for securing BGP sessions, validating route origins, and using AS-SET data to prevent route leaks and hijacks.
- Acquire hands-on skills in deploying network monitoring tools on Linux and Windows environments, including command-line utilities for traffic analysis and system hardening.
1. Netomics: Unlocking BGP and AS-SET Intelligence
Netomics is a powerful web-based tool designed to simplify the exploration of BGP routing data, specifically focusing on AS-SET memberships. AS-SETs are objects in the Routing Policy Specification Language (RPSL) that group multiple autonomous systems (ASNs) for routing policy purposes. Understanding AS-SET hierarchies is critical for network engineers to validate route announcements, detect anomalies, and prevent prefix hijacking.
Step‑by‑step guide: Using Netomics for BGP Security Auditing
- Perform an ASN Lookup: Navigate to Netomics and enter an ASN (e.g., `15169` for Google) or an AS-SET name (e.g.,
AS-GOOGLE). The tool will return a list of all member ASNs, child sets, and parent sets that include the queried ASN. - Validate IP Origin: Enter an IP address (e.g., `8.8.8.8` or
2001:4860::1) to discover the origin ASN via BGP, then view all AS-SET memberships associated with that ASN. This is invaluable for verifying that an IP prefix is indeed announced by the expected autonomous system. - Enable Partial Match for Substring Searches: Use the partial match checkbox to perform substring searches across all AS-SET names. For example, searching `GOOGLE` will return
AS-GOOGLE,AS-GOOGLE-CLOUD, and related sets. This helps in identifying all routing objects belonging to a specific organization. - Integrate with BGP Monitoring Tools: Combine Netomics data with BGP looking glasses (e.g.,
bgp.he.net) to cross-validate route announcements. If you detect an ASN advertising a prefix not listed in its AS-SET, it may indicate a route leak or hijack attempt. - Automate AS-SET Monitoring: Use Netomics’ API (if available) or scrape results periodically to build a baseline of expected AS-SET memberships. Alert on deviations using a SIEM or custom scripts.
Linux Command Example – BGP Origin Validation:
Use whois to retrieve AS-SET information for a specific ASN whois -h whois.radb.net AS15169 | grep -i "as-set" Query BGP route origin using bgp.tools or similar CLI tool curl -s "https://api.bgp.tools/prefix/8.8.8.8" | jq '.origin'
Windows PowerShell Equivalent:
Using Invoke-WebRequest to query BGP API $response = Invoke-WebRequest -Uri "https://api.bgp.tools/prefix/8.8.8.8" $response.Content | ConvertFrom-Json | Select-Object -ExpandProperty origin
2. FastNetMon LiveView: Real-Time DDoS Visibility and Control
FastNetMon LiveView is a browser-based web interface add-on for the FastNetMon platform, providing unified visibility into real-time traffic analytics, DDoS events, and system configuration. It is designed to reduce the time from signal detection to incident response, allowing network operators to monitor traffic patterns, spot anomalies, and manage mitigation actions from a single pane of glass.
Step‑by‑step guide: Deploying and Configuring FastNetMon LiveView
- Installation and Licensing: Purchase a LiveView license (available as a paid add-on at $70/user/month or $720/user/year). Follow the official documentation to install the add-on on your existing FastNetMon instance. Ensure your system meets the prerequisites (e.g., Python 3.8+, Redis, and a modern web browser).
- Initial Access and Dashboard Overview: After installation, access LiveView via `https://your-fastnetmon-ip:8000`. Log in with administrative credentials. The main dashboard displays total traffic overview, network traffic reports, host-level visibility, and ASN-level analysis.
- Configure Detection Thresholds: Navigate to the configuration section to set per-host or per-ASN thresholds for traffic anomalies. For example, set a threshold of 1 Gbps for inbound traffic to trigger a DDoS alert. LiveView allows you to manage these settings without editing configuration files manually.
- Set Up Notifications and Mitigation Actions: Define notification channels (email, Slack, PagerDuty) and mitigation actions (e.g., BGP blackholing, RTBH, or ACL-based filtering). LiveView’s web interface simplifies the creation of these policies, reducing the risk of misconfiguration.
- Monitor Active and Historical DDoS Events: Use the DDoS events panel to review ongoing attacks, analyze historical patterns, and export reports for post-incident analysis. This feature is critical for improving incident response and maintaining operational awareness.
- Manage User Access and Roles: Create user accounts with role-based access control (RBAC) to ensure that only authorized personnel can modify critical settings or view sensitive data. This is essential for compliance and team collaboration.
Linux Command – Integrating FastNetMon with BGP for Mitigation:
Configure FastNetMon to trigger BGP blackholing upon attack detection Edit /etc/fastnetmon.conf Set: bgp_flow_spec = on bgp_blackhole_community = 65535:666 Restart FastNetMon service sudo systemctl restart fastnetmon Verify BGP session status sudo birdc show protocols | grep fastnetmon
Windows Command (if using Windows Subsystem for Linux or native tools):
For WSL, similar Linux commands apply. To check FastNetMon service status from PowerShell: wsl sudo systemctl status fastnetmon
3. DDoS Mitigation Strategies: From Detection to Response
Effective DDoS mitigation requires a multi-layered approach combining real-time detection, automated response, and manual intervention. FastNetMon LiveView provides the visibility needed to make informed decisions during an attack.
Step‑by‑step guide: Implementing a DDoS Response Workflow
- Detection: Use LiveView’s real-time dashboards to identify sudden spikes in traffic, unusual packet rates, or specific attack patterns (e.g., SYN floods, UDP amplification). The system can alert you automatically based on configured thresholds.
- Verification: Before triggering mitigation, verify that the anomaly is indeed an attack and not a legitimate traffic surge (e.g., flash crowd). Check top talkers and traffic breakdowns in LiveView to distinguish between malicious and benign sources.
- Mitigation: If confirmed as an attack, initiate BGP blackholing or flow specification rules. LiveView allows you to trigger these actions directly from the web interface. Alternatively, use the FastNetMon CLI or API for automated responses.
- Post-Attack Analysis: After the attack subsides, review historical DDoS events in LiveView to understand the attack vectors, durations, and sources. This data is invaluable for tuning thresholds and improving future defenses.
- Reporting: Generate reports for stakeholders, including management and security teams, to demonstrate the effectiveness of your mitigation efforts and justify further investments.
Linux Command – Manual BGP Blackholing:
Using BIRD to blackhole a malicious IP sudo birdc configure sudo birdc show route | grep <malicious_ip> Add a blackhole route (example) sudo ip route add blackhole <malicious_ip>/32
Windows Command – Using Windows Firewall to Block an IP:
Block an IP address using Windows Defender Firewall New-1etFirewallRule -DisplayName "BlockMaliciousIP" -Direction Inbound -Action Block -RemoteAddress <malicious_ip>
4. BGP Security and Route Validation
BGP remains one of the most vulnerable protocols in the internet infrastructure. Route leaks and prefix hijacks can cause widespread outages and data interception. Netomics and FastNetMon together provide a robust framework for BGP security monitoring.
Step‑by‑step guide: Hardening BGP Sessions
- Implement RPKI (Resource Public Key Infrastructure): Use RPKI to validate the origin of BGP routes. Ensure your router is configured to reject invalid routes based on ROV (Route Origin Validation).
- Leverage AS-SET Data: Use Netomics to regularly audit AS-SET memberships and ensure that your upstream providers and peers are announcing only the prefixes they are authorized to advertise.
- Monitor BGP Announcements: Use FastNetMon to monitor BGP updates in real-time. Alert on unexpected prefix announcements from your peers or providers.
- Apply BGP Filters: Configure prefix filters on your router to accept only routes that match your expected prefix list. Use AS path filters to restrict routes from unauthorized ASNs.
- Conduct Regular BGP Audits: Schedule monthly audits using Netomics to review your AS-SET and ensure all prefixes are correctly attributed.
Linux Command – Checking BGP Session Status:
For BIRD sudo birdc show protocols all For Quagga/FRR sudo vtysh -c "show ip bgp summary"
Windows Command (using WSL or SSH to router):
SSH to your router and run BGP commands ssh admin@router "show ip bgp summary"
5. Integrating Network Monitoring with SIEM and Automation
To achieve comprehensive security visibility, integrate FastNetMon LiveView with your SIEM (Security Information and Event Management) system and automation frameworks.
Step‑by‑step guide: SIEM Integration and Automation
- Enable Syslog or API Export: Configure FastNetMon to export DDoS events and traffic anomalies via syslog or REST API. This allows your SIEM to ingest and correlate network data with other security logs.
- Create Correlation Rules: In your SIEM, create rules that correlate FastNetMon alerts with firewall logs, IDS/IPS alerts, and authentication events to identify multi-vector attacks.
- Automate Response with Playbooks: Use SOAR (Security Orchestration, Automation, and Response) tools to create playbooks that automatically trigger mitigation actions when certain attack conditions are met. For example, upon a high-severity DDoS alert, automatically activate BGP blackholing and notify the on-call engineer via PagerDuty.
- Dashboard and Reporting: Leverage LiveView’s built-in dashboards for quick operational visibility, while using your SIEM for long-term trend analysis and compliance reporting.
Linux Command – Sending Syslog to a Remote Server:
Configure rsyslog to forward FastNetMon logs echo ". @<SIEM_IP>:514" >> /etc/rsyslog.conf sudo systemctl restart rsyslog
Windows Command – Configuring Event Forwarding:
Configure Windows Event Forwarding for FastNetMon logs (if running on Windows) wevtutil set-log "FastNetMon" /enabled:true /retention:false /maxsize:1024000
6. Performance Tuning and Scalability
As network traffic grows, ensuring that FastNetMon and its LiveView interface remain performant is crucial.
Step‑by‑step guide: Tuning for High Throughput
- Optimize Packet Capture: Use PF_RING or DPDK for high-speed packet capture on Linux. Configure FastNetMon to use these drivers for improved performance.
- Scale Horizontally: Deploy FastNetMon sensors across multiple network segments and aggregate data in a central LiveView instance. Use load balancers to distribute traffic to multiple sensors.
- Database Optimization: If using a database for historical data, ensure it is properly indexed and that retention policies are set to avoid performance degradation.
- Monitor System Resources: Use tools like
htop,nmon, or `perf` to monitor CPU, memory, and network utilization. Adjust detection thresholds and sampling rates to balance accuracy and performance. - Regular Updates: Keep FastNetMon and LiveView updated to the latest versions to benefit from performance improvements and security patches.
Linux Command – Monitoring System Performance:
Install and run htop sudo apt install htop -y htop Check network interface statistics sudo iftop -i eth0
Windows Command – Performance Monitoring:
Get network adapter performance counters Get-Counter -Counter "\Network Interface()\Bytes Total/sec" Monitor CPU usage Get-Counter -Counter "\Processor(_Total)\% Processor Time"
What Undercode Say:
- Key Takeaway 1: Netomics and FastNetMon LiveView represent a powerful combination for network security—Netomics provides the intelligence layer for BGP and AS-SET analysis, while LiveView offers real-time visibility and control over DDoS threats. Together, they enable a proactive security posture that reduces mean time to detection (MTTD) and mean time to response (MTTR).
- Key Takeaway 2: The shift from command-line-only tools to web-based interfaces like LiveView democratizes network security, allowing broader teams (including non-engineers) to participate in incident response. This improves communication during crises and ensures that critical insights are not siloed within a few specialists.
The launch of these products highlights a growing trend in the cybersecurity industry: the convergence of network intelligence, real-time monitoring, and user-friendly management interfaces. By leveraging BGP data and AS-SET hierarchies, organizations can better understand their routing posture and detect anomalies early. LiveView’s emphasis on shared visibility and simplified operations addresses a long-standing pain point for network operators—the need to balance deep technical capability with accessibility. As DDoS attacks become more frequent and sophisticated, tools that combine high-performance telemetry with intuitive dashboards will be essential for maintaining service availability and trust.
Prediction:
- +1 The integration of AI-driven anomaly detection into platforms like FastNetMon LiveView will likely emerge within the next 12–18 months, enabling predictive threat identification and automated mitigation tuning based on historical attack patterns.
- +1 The adoption of BGP security tools like Netomics will accelerate as more organizations recognize the financial and reputational risks of route leaks and hijacks, driving demand for continuous AS-SET validation and RPKI deployment.
- -1 The increasing complexity of network environments and the proliferation of IoT devices may outpace the scalability of current monitoring solutions, necessitating further innovations in distributed telemetry and edge-based threat detection.
- +1 LiveView’s web-based architecture will facilitate remote and hybrid work models, allowing security teams to manage network incidents from anywhere, which is critical in today’s distributed workforce landscape.
- -1 Without proper training and change management, the introduction of new tools like LiveView could lead to over-reliance on automation, potentially blinding operators to subtle attack vectors that require human intuition to detect.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Podintsov It – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
