FastNetMon - Very Fast DDoS Analyzer with Sflow/Netflow/Mirror Support

Monday, May 11, 2015


A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).

What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.

Features:
  • Can process incoming and outgoing traffic
  • Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
  • Could announce blocked IPs to BGP router with ExaBGP
  • Have integration with Graphite
  • netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
  • Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
  • Can work on server/soft-router
  • Can detect DoS/DDoS in 1-2 seconds
  • Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
  • Complete plugin support
  • Have complete support for most popular attack types

Supported platforms:
  • Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
  • FreeBSD 9, 10, 11
  • Mac OS X Yosemite
What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.

Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load:


To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.
Why did we write this? Because we can't find any software for solving this problem in the open source world!




Subscribe via e-mail for updates!