Read the in-depth discussion on FastNetMon use cases
In this episode of the Hedge, hosts Russ White and Tom Ammon are joined by Pavel Odintsov, the CTO of FastNetMon, to explore the capabilities and use cases of this open-source DDoS detection tool. The discussion delves into the unique features of FastNetMon, including its ability to detect outbound DDoS attacks, its reliance on BGP for traffic diversion, and its flexibility in deployment across various platforms, including Raspberry Pi. Pavel shares insights into how FastNetMon can be used to manage network traffic, reduce costs, and enhance security. Whether you’re a network engineer or IT professional, this episode offers valuable perspectives on leveraging FastNetMon for robust network protection.
Listen to the podcast on our YouTube channel
Read the podcast transcript:
Podcast Host: Join us at the Hedge for a conversation about engineering, technology, and business. In this episode, Russ White, Tom Ammon, and Pavel Odintsov dig into FastNetMon.
Russ White: Well, hello Tom. You’re in your home office today, which is cool. Do you have your Christmas tree up yet? That’s not right. If it is, don’t. Pavel, how are you today?
Pavel Odintsov: Excellent, excellent.
Russ White: Good. Our second shot at running and talking about FastNetMon on the Hedge, which is good. We like open source stuff. We like projects where people can get their hands dirty and do what needs to be done. Last time we talked about FastNetMon, we discussed how it works and its history. This time, we want to talk more about use cases for FastNetMon. Before we started recording, you mentioned outbound attack detection, which is interesting because most people think about inbound DDoS. Explain what you mean by outbound.
Pavel Odintsov: When we started FastNetMon, we tried to find the root cause of DDoS attacks. After experiencing downtime from a serious DDoS attack, you start looking for the root cause. You end up identifying a particular network or server that initiated the attack. Companies usually have problems with incoming DDoS attacks, but if you work for a data center or hosting provider, you’ll notice a lot of outgoing traffic that doesn’t look legitimate. FastNetMon can identify when a host in your network starts generating an enormous amount of traffic. It’s a good point to look at, and you can apply different actions. Modern hardware can generate a lot of traffic with a single machine, enough to disrupt services on the Internet.
Tom Ammon: So is the assumption that a high volume UDP flow means we should look at this for DDoS?
Pavel Odintsov: In some cases, yes. You usually have a good understanding of the services running in your network. If you see a high volume of UDP traffic, it might indicate a DDoS attack. You can use the number of UDP packets and flows as indicators.
Russ White: Interesting. So if one of your machines has been taken over, what are you thinking of? It’s easy to generate a lot of traffic, right?
Pavel Odintsov: Yes, it usually starts with web software that has security issues, like outdated WordPress. Attackers upload malware, often small scripts, to generate UDP traffic. It’s common for a single server to be taken over by multiple botnets using different malware.
Russ White: I remember cases where this would have been helpful. Code Red infected large networks, causing major problems. FastNetMon could have helped identify traffic patterns.
Pavel Odintsov: Yes, FastNetMon isn’t focused on intrusion detection, but it can notify you of unusual traffic patterns, like gigabits of UDP traffic in a quiet network segment.
Tom Ammon: I’m curious about the placement of the service. For outbound detection, where do you place it?
Pavel Odintsov: It depends. For residential services, deploy FastNetMon before port translation to see internal IPs. Keep it close to your billing system and core network.
Russ White: Another case where this would be interesting is if software was misinstalled on thousands of desktops, causing network issues. FastNetMon could help identify traffic patterns.
Pavel Odintsov: Exactly. FastNetMon has no licensing limits, so you can install it on every machine. It’s often deployed on virtual machines in VPS services to detect outgoing attacks.
Russ White: Right, and with this solution, you can bring the policy to the traffic. Another use case we discussed was diverting traffic. What do you mean by that?
Pavel Odintsov: Customers use FastNetMon to detect incoming DDoS and can use RTBH or Blackhole to block traffic. If you don’t have enough capacity to absorb the attack, you can divert traffic to a cloud scrubbing center. FastNetMon can create BGP announcements or call APIs for remote scrubbing centers.
Russ White: How do you stage this in your network?
Pavel Odintsov: You can use BGP to divert traffic to a remote scrubbing center or within your network. FastNetMon can act as a kill switch, redirecting traffic to specialized equipment for filtering.
Russ White: Interesting. You can use FastNetMon for detecting elephant flows or hot links in a data center fabric.
Pavel Odintsov: Yes, FastNetMon can export bandwidth information for decision-making. You can use it for traffic engineering and see real-time changes in load distribution.
Russ White: You’re primarily relying on BGP for this, right?
Pavel Odintsov: Yes, we use BGP Unicast and Flow Spec. Flow Spec is more flexible, allowing you to discard, rate limit, or tag traffic for quality of service.
Tom Ammon: It sounds like you could build your own scrub center with FastNetMon.
Pavel Odintsov: Yes, but FastNetMon focuses on L3 and L4. For sophisticated attacks, you need additional equipment. Some customers have built scrubbing centers with FastNetMon.
Russ White: We discussed fine-tuning on-premises equipment. FastNetMon can help with that, right?
Pavel Odintsov: Yes, FastNetMon can help reduce costs by minimizing scrubbing center usage. It can redirect traffic on demand, saving on filtering equipment licenses.
Russ White: If I have multiple upstream providers, I can use FastNetMon for traffic diversion, right?
Pavel Odintsov: Yes, it’s possible.
Tom Ammon: What’s the inspection engine built out of?
Pavel Odintsov: FastNetMon uses counters and calculates exponential moving averages for different traffic types. It exports information to time series databases like InfluxDB and Graphite.
Tom Ammon: Have you seen FastNetMon replace other NetFlow collection tools?
Pavel Odintsov: Sometimes, but customers often use them together. FastNetMon operates in real-time, while other tools store data for historical reports.
Russ White: Where can you run FastNetMon?
Pavel Odintsov: FastNetMon is a C binary application. You can run it on Docker, bare metal, or in cloud environments. It’s lightweight, with no major dependencies.
Russ White: You could run it on Raspberry Pi, right?
Pavel Odintsov: Yes, Raspberry Pi is powerful enough for FastNetMon. It’s often used in network companies that lack Linux machines.
Russ White: Tom, any other questions?
Tom Ammon: No, but I have a Raspberry Pi ready for FastNetMon.
Pavel Odintsov: You can install it with apt install fastnetmon on Debian. It supports ARM 64.
Russ White: You could use it on your home network to monitor IoT devices. Where can people get FastNetMon?
Pavel Odintsov: GitHub is the best place. Search for FastNetMon, and you’ll find contributions from the community, integrations, and packaging for different platforms.
Russ White: Do you blog or anything else?
Pavel Odintsov: You can find my blog at pavel.network.
Russ White: Tom, you’re on Twitter, right?
Tom Ammon: Yes, @TomAmmon.
Russ White: I’m @RussWhite, and you can find me at Rule 11 Tech. Thanks for joining us on this episode of the Hedge.