Updates FatNetMon - high performance DoS/DDoS analyzer with sflow/mirror support.

Updates FatNetMon – high performance DoS/DDoS analyzer with sflow/mirror support.

 Latest changes, bug fixes and tool added :
– Add update GeoIP files
– Rename .cpp cod to .c for packet parser
– Add help to project remark
– Add script for geoip bases update
– Move common code to library
– Add Cojacfar
– Fixes in performance tests
– Add patch for netmap
– Fix for compilation on Mac OS X Yosemite
– Move separate code files to test folder
– Enable fast_library linking woth boost modules
– Move syn umbrella to separate project

FastNetMon – A high performance DoS/DDoS and netflowk load analyzer built on top of multiple packet capture engines (netmap, PF_RING, sFLOW, Netflow, PCAP).fastnetmon_screen

Features:
– Can process incoming and outgoing traffic
– Can trigger block script if certain IP loads network with a large amount of packets per second
– Can trigger block script if certain IP loads network with a large amount of bytes per second
– Can trigger block script if certain IP loads network with a large amount of flows per second
– netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
– PF_RING ZC/DNA support (wire speed processing on tens of MPPS but needs license)
– Can process sFLOW v5
– Can process NetFlow v5, v9, ipfix
– Can use PCAP for packet sniffing
– Can work on mirror/SPAN ports
– Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
– Can work on server/soft-router
– Can detect DoS/DDoS in 1-2 seconds
– Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
– Complete plugin support

Supported platforms:
– Linux (Debian 6/7, CentOS 6/7, Ubuntu 12+)
– FreeBSD 9, 10, 11
– Mac OS X Yosemite

Why netflow is not an best solution for DoS/DDoS attack detection?
– It need additional licenses or even hardware (Juniper MX240, MX480, MX960 – additional license)
– It realized in software and can overload equipment (Juniper SRX, J-series, Microtic, VmWare, Linux)
– Even on top equipment flow-active-timeout starts from 60 seconds and it’s very slow for massive attacks and slow-speed-attacks both.
Example deployment scheme:network_map
Step By Step Manual Installation :
At first you should install PF_RING (you can install any latest version :

Build PF_RING kernel module:

You can use precompiled and statically linced version of this tool without any compiling:

If you want to use static version you can skip this guide to part about “networks_list”.

Build lib:

Install FastNetMon:

Build FastNetMon with cmake:

You should start fastnetmon using this options:

If you want to avoid LD_LIBRARY_PATH on every call you should add pf_ring path to system:

It’s REQUIRED to add all your networks in CIDR form to file /etc/networks_list if form when one subnet on one line. Please aggregate your networks because long networks list will significatly slow down programm. And please change REDIS_SUPPORT = yes to no in Makefile if you do not need traffic counting feature. When you running this software in OpenVZ node you may did not specify networks explicitly, we can read it from file /proc/vz/veip.

You can add whitelist subnets in similar form to /etc/networks_whitelist (CIDR masks too).
Copy standard config file to /etc:

Start it:

Enable programm start on server startup, please add to /etc/rc.local this lines:

When incoming or outgoing attack arrives programm call bash script (when it exists): /usr/local/bin/notify_about_attack.sh two times. First time when threshold exceed (at this step we know IP, direction and power of attack). Second when we collect 100 packets for detailed audit what did happens.

Downlod : zipball  | or git clone  | Our post Before
Author : Pavel Odintsov  pavel.odintsov@gmail.com License: GPLv2