Open source DDoS/DoS monitoring toolkit - FastNetMon
I would like to share my DDoS monitoring toolkit with community. You can find it on GitHub: https://github.com/FastVPSEestiOu/fastnetmon
It supports Linux (Centos 5/6, Debian 6/7), FreeBSD 9/10/11 and Mac OS X since Yosemite. It provide ability to detect bandwidth, flow and pps (packet per second) spikes which last more than X seconds and trigger action agains IP which generated this issue (our own IP, not an attacker IP).
It can use sFLOW v5, NetFlow v5/v9 and port mirror from a switch as data source. Port mirror is most accurate but need enough amount of CPU.
This tool has been using for two years in production and worked enough stable. It was tested with ~8mpps attacks on non sampled traffic on Xeon e5 2403 (4 core) and worked perfectly.
If you have any questions or suggestions feel free to post they here!