Since Fastnetmon was deployed, we got a few false positive about:
Possible DDoS to 126.96.36.199
188.8.131.52 being WMCS gateway's main IP.
The reason is that something in WMCS is periodically and heavily downloading something from the Internet.
There is nothing wrong with that, but the return traffic is high enough to trigger FNM.
(optional) It might be useful for WMCS to check if this spike is not saturating anything in their infra (just in case)
Then we can either increase the Global FNM thresholds (easy) (eg. https://github.com/wikimedia/puppet/blob/production/modules/fastnetmon/templates/fastnetmon.conf.erb#L52 )
Or (more complex and it introduces snowflakes) setup custom thresholds for that IP (or any IPs in the WMCS range), see https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.conf#L262
But probably better on the long run, (eg. have different thresholds for LVS VIPs VS. regular servers)
Or (less preferred) whitelist that IP (or range) to not be monitored (cf. https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.conf#L43 )