FastNetMon v-1.0 released - high performance DoS/DDoS analyzer with sflow/mirror support.

FastNetMon v-1.0 released – high performance DoS/DDoS analyzer with sflow/mirror support.

FastNetMon – high performance DoS/DDoS and load analyzer builded on top of PF_RING.
Features:
+ Can process incoming and outgoing traffic
+ Can trigger block script if certain IP load network with big amount of packets per second
+ Can trigger block script if certain IP load network with big amount of bytes per second
+ Can trigger block script if certain IP load network with big amount of flows per second
+ VLAN untagging
+ MPLS traffic processing
+ L2TP decapsulation of nested packets
+ PF_RING ZC/DNA support (wire speed processing on tens of MPPS but need license)
+ Can process sFLOW v5
+ Can work on mirror/SPAN ports
+ Can work on server/soft-router
+ Can detect DoS/DDoS in 1-2 seconds
+ Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599fastnetmon_screen

Why netflow is not an best solution for DoS/DDoS attack detection?
– It need additional licenses or even hardware (Juniper MX240, MX480, MX960 – additional license)
– It realized in software and can overload equipment (Juniper SRX, J-series, Microtic, VmWare, Linux)
– Even on top equipment flow-active-timeout starts from 60 seconds and it’s very slow for massive attacks and slow-speed-attacks both.
Example deployment scheme:network_map
Step By Step Manual Installation :
At first you should install PF_RING (you can install any latest version :

Build PF_RING kernel module:

You can use precompiled and statically linced version of this tool without any compiling:

If you want to use static version you can skip this guide to part about “networks_list”.

Build lib:

Install FastNetMon:

Build FastNetMon with cmake:

You should start fastnetmon using this options:

If you want to avoid LD_LIBRARY_PATH on every call you should add pf_ring path to system:

It’s REQUIRED to add all your networks in CIDR form to file /etc/networks_list if form when one subnet on one line. Please aggregate your networks because long networks list will significatly slow down programm. And please change REDIS_SUPPORT = yes to no in Makefile if you do not need traffic counting feature. When you running this software in OpenVZ node you may did not specify networks explicitly, we can read it from file /proc/vz/veip.

You can add whitelist subnets in similar form to /etc/networks_whitelist (CIDR masks too).
Copy standard config file to /etc:

Start it:

Enable programm start on server startup, please add to /etc/rc.local this lines:

When incoming or outgoing attack arrives programm call bash script (when it exists): /usr/local/bin/notify_about_attack.sh two times. First time when threshold exceed (at this step we know IP, direction and power of attack). Second when we collect 100 packets for detailed audit what did happens.

Downlod zipball  | or git clone 
Author : Pavel Odintsov  pavel.odintsov@gmail.com License: GPLv2