Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Open source DDoS/DoS monitoring toolkit - FastNetMon
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Open source DDoS/DoS monitoring toolkit - FastNetMon

Hello, folks!

I would like to share my DDoS monitoring toolkit with community. You can find it on GitHub: https://github.com/FastVPSEestiOu/fastnetmon

It supports Linux (Centos 5/6, Debian 6/7), FreeBSD 9/10/11 and Mac OS X since Yosemite. It provide ability to detect bandwidth, flow and pps (packet per second) spikes which last more than X seconds and trigger action agains IP which generated this issue (our own IP, not an attacker IP).

It can use sFLOW v5, NetFlow v5/v9 and port mirror from a switch as data source. Port mirror is most accurate but need enough amount of CPU.

This tool has been using for two years in production and worked enough stable. It was tested with ~8mpps attacks on non sampled traffic on Xeon e5 2403 (4 core) and worked perfectly.

If you have any questions or suggestions feel free to post they here!

Thank you!

Thanked by 2dcc aglodek

Comments

  • Is it a tool to nullroute attacks or to mitigate attacks?

    Thanked by 1Pavel_Odintsov
  • It can trigger nullroute, right. But you can process attack details generated by Fastnetmon and block specific remote host, packet type or even protocol.

  • I just want to find out how effective this could be in terms of http floods, but it seems more like a solution for high-bandwidth/pps attacks.

  • jmginerjmginer Member, Patron Provider

    Seems interesting, I will check.

    Thanked by 1Pavel_Odintsov
  • jmginerjmginer Member, Patron Provider

    Is possible to add multiple source routers to the monitor?

  • I think it will be useless in case of slow http flood :( But it's very effective against tcp psh flood, udp amplification and syn flood.

    @tr1cky said:
    I just want to find out how effective this could be in terms of http floods, but it seems more like a solution for high-bandwidth/pps attacks.

  • Yep, it's possible. You can collect data from multiple mirroring interfaces, multiple sflow streams and multiple netflow streams simultaneously.

    @jmginer said:
    Is possible to add multiple source routers to the monitor?

    Thanked by 1jmginer
  • tr1cky said: I just want to find out how effective this could be in terms of http floods, but it seems more like a solution for high-bandwidth/pps attacks.

    If you can't specify the appropriate level for triggers in this software, a more generic tool like nfdump combined with some additional scripting could be used to find just about anything you want.

  • I'm not sure about usefulness of sflow/netflow for http flood analyze because it's application layer and we need to do deep packets inspection/parsing for every packet. From my point os view reverse proxy is best solution when you want mitigate DDoS/DoS attack in http.

    @Microlinux said:

  • leapswitchleapswitch Patron Provider, Veteran

    Looks good, will try it out and let you know.

  • dccdcc Member, Host Rep

    First of all, thank you for sharing this tool.

    Question: is there any way to make this work in an OpenVZ container? In our specific setup we do not need to process large amounts of data so no need for PF_RING.

    Also, would this still work inside of a KVM VPS?

  • Hello!

    Thank you :)

    PF_RING can works in KVM VM without any troubles at full speed, look at this article.

    You could run it into OpenVZ container but PF_RING can't work here. Inside of OpenVZ container you could use pcap as packet capture engine. It's very slow but if you haven't so much traffic it will be fine too.

    @dcc said:
    First of all, thank you for sharing this tool.

    Question: is there any way to make this work in an OpenVZ container? In our specific setup we do not need to process large amounts of data so no need for PF_RING.

    Also, would this still work inside of a KVM VPS?

    Thanked by 1dcc
Sign In or Register to comment.