Read the in-depth discussion on DDoS Detection and Mitigation
In this episode of the Packet Pushers podcast, we dive into the world of DDoS detection with FastNetMon, an open-source solution designed to identify and mitigate distributed denial of service attacks. Hosted by the Packet Pushers, the conversation features Pavel Odintsov, the project leader of FastNetMon. Pavel shares the origins of FastNetMon, highlighting its development journey from a GitHub project to a robust tool capable of handling millions of packets per second. He discusses the software’s focus on Level 3 and Level 4 attack types, its integration capabilities with BGP Unicast and BGP Flow Spec, and its low hardware requirements. The podcast also explores the differences between the community and commercial versions of FastNetMon, the importance of detection versus mitigation, and the flexibility of the platform for customization and integration with existing network infrastructure. Whether you’re a network engineer or an IT security specialist, this episode offers valuable insights into the capabilities and benefits of FastNetMon in the fight against DDoS attacks.
Listen to the podcast on our YouTube channel
Read the podcast transcript:
Podcast host: Today on the PriorityQ, we’re discussing open source DDoS detection with FastNetMon. If you’re unfamiliar with DDoS, it’s a type of attack common across the Internet, short for distributed denial of service. These attacks are tricky to detect and defend against, and chances are you’ll encounter one either directly or indirectly in your IT career. For more on DDoS, check out packetpushers.net for articles and podcasts. Today, we’re focusing on the FastNetMon project for DDoS detection. Joining me is Pavel Odintsov, the project leader. Pavel, welcome to the Packet Pushers Priority Queue. Tell us about FastNetMon. What is this project?
Pavel Odintsov: Hi everyone. FastNetMon is DDoS detection software. It detects DDoS attacks and automatically applies filtering rules to block them. One of its main purposes is to save you from waking up in the middle of the night to fix network issues. FastNetMon focuses on Level 3 and Level 4 attack types, specifically targeting popular amplification attacks and various floods.
Podcast host: There are many DDoS products and services available, often at a high cost. What led you to start FastNetMon?
Pavel Odintsov: It’s an interesting story. I spent a lot of time searching for solutions to DDoS attacks. FastNetMon was initially published on GitHub in 2013. It was born out of market research to find affordable DDoS detection software for companies in emerging markets. Initially, it was a naive approach to automate tasks like packet analysis and network monitoring. We chose C for its performance, as we needed to handle 2 million packets per second without NetFlow or SFlow support.
Podcast host: I didn’t realize C was a requirement. I assumed Golang might offer the performance needed.
Pavel Odintsov: If you have less traffic, Go might work. But for 40 or 100 gigabits, C is necessary due to its performance and available packet capture libraries. When FastNetMon started, Go wasn’t as popular, and there were fewer libraries for packet processing.
Podcast host: So, performance and cost are major features of FastNetMon. What are the other main features?
Pavel Odintsov: FastNetMon’s main feature is DDoS detection. It provides options to detect when an attack hits your network and offers detailed information about it. You can set traffic baselines, and FastNetMon will alert you when thresholds are crossed. It supports automation, BGP Unicast, and BGP Flow Spec for traffic filtering. FastNetMon also provides traffic statistics and integrates with various storage backends like Graphite and InfluxDB.
Podcast host: There’s a lot there. Detection, notification, and BGP announcements are all part of it. How does detection help with mitigation?
Pavel Odintsov: FastNetMon focuses on detection, providing information about attacks. Complete mitigation is complex, especially for sophisticated attacks. FastNetMon can work with cloud scrubbing centers and integrate with existing filtering hardware. It can also use BGP blackhole to block traffic to affected hosts, saving the rest of your network.
Podcast host: So, detection is primary, and mitigation involves other devices. FastNetMon informs them about the attack.
Pavel Odintsov: Yes, and it can integrate with sophisticated systems for additional processing. Combining different systems or cloud services provides comprehensive DDoS mitigation.
Podcast host: There’s a free version of FastNetMon and a commercial version. What’s the difference?
Pavel Odintsov: FastNetMon started as open source. The community version supports various Linux distributions and architectures. The commercial version, FastNetMon Advanced, offers all features in a single package, including BGP implementations, APIs, and easy installation tools.
Podcast host: Are there functionality differences between the two?
Pavel Odintsov: Yes, FastNetMon Advanced has an enhanced detection engine and supports all DDoS attack types, including multi-vector attacks. It offers more options for BGP Flow Spec and integrates with various external systems.
Podcast host: Flow Spec is growing in popularity. How has vendor support been?
Pavel Odintsov: It’s available on modern, high-end routers. Most top vendors support BGP Flow Spec, and FastNetMon works well with their implementations. It’s a great technology that works according to standards.
Podcast host: Who typically uses FastNetMon? Service providers or enterprises?
Pavel Odintsov: It’s a mix, but mainly telecoms, hosting providers, and data centers. We’ve also seen interest from wireless service providers.
Podcast host: What hardware does FastNetMon need?
Pavel Odintsov: FastNetMon has low hardware requirements. It can run on a single CPU machine, but two cores are better. Memory requirements depend on network size, but 1-2 GB is usually sufficient.
Podcast host: What about exporting traffic to FastNetMon? What’s the best method?
Pavel Odintsov: It depends on your hardware. NetFlow and SFlow are common, but port mirroring is an option if those aren’t available. FastNetMon supports various bandwidths and optimized processing engines.
Podcast host: Does FastNetMon support IP Fix records?
Pavel Odintsov: Yes, we support IP Fix.
Podcast host: What about sampled versus unsampled flow data?
Pavel Odintsov: It depends on your hardware. Sampling is often necessary to avoid overloading routers. FastNetMon supports sampling, but configurations may vary by vendor.
Podcast host: Can FastNetMon replace commercial products?
Pavel Odintsov: FastNetMon complements other solutions. It can integrate with various filtering hardware for better results. We support A10 Networks, Adware Defense Flow, and more.
Podcast host: FastNetMon is open source, allowing customization for specific needs.
Pavel Odintsov: Yes, you can customize FastNetMon for your needs and contribute to the community. It’s flexible and can integrate with various systems.
Podcast host: What about IPv4 versus IPv6 support?
Pavel Odintsov: We’re working on IPv6 support, but it’s complex and will take time. IPv4 is still the main target for DDoS attacks.
Podcast host: Does FastNetMon provide insights beyond DDoS detection?
Pavel Odintsov: Yes, FastNetMon Advanced includes a traffic persistence engine for storing flow data. It offers scalability and detailed traffic reports.
Podcast host: What about the community version?
Pavel Odintsov: The community version doesn’t support this feature. It’s exclusive to FastNetMon Advanced.
Podcast host: How does integration with DDoS mitigation tools work?
Pavel Odintsov: FastNetMon can consume NetFlow or SFlow streams from existing solutions and mix them for comprehensive analysis.
Podcast host: Does FastNetMon have an API for automation?
Pavel Odintsov: Yes, FastNetMon Advanced has a complete API for configuration and management. The community version has basic API support.
Podcast host: Are you looking for developers to help with the project?
Pavel Odintsov: We’re looking for contributors with experience in protocols like NetFlow and IP Flow. Feedback from hardware vendors is also valuable.
Podcast host: How can people interact with the FastNetMon community?
Pavel Odintsov: We support IRC, Slack, Telegram, and Google Groups. You can choose your preferred platform to connect with us.
Podcast host: Where can people learn more about FastNetMon?
Pavel Odintsov: Visit fastnetmon.com for more information and links to our community channels. You can also find us on GitHub for contributions and feedback.
Podcast host: Are you active on social media or have a blog?
Pavel Odintsov: We have a blog on our official site, but it’s not very active due to time constraints. We share insights on NetFlow and SFlow implementations.
Podcast host: Thanks for joining us today, Pavel. It’s been a great conversation about FastNetMon. To our listeners, thanks for tuning in to the Packet Pushers Priority Queue. You can find more podcasts and our community blog at packetpushers.net. Follow us on Twitter @packetpushers and on LinkedIn. We’re also on Facebook. If you like what you hear, please rate us on Apple Podcasts. Remember, too much networking would never be enough.