Vicente De Luca,
Sr. Network Engineer,

Our company has been using FastNetMon to improve detection on malicious traffic targeting our cloud infrastructure. The improvements provided by this tool are helping us to early detect and trigger mitigation techniques before the situation evolve to critical stages, when availability starts being affected. FastNetMpm empower users to customize thresholds based on their own traffic patterns, as well integrate with other tools such as time series databases and anomaly detection algorithms. We are truly grateful to Pavel Odintsov and all the contributors, and wish the project further success making DDoS detection open source and free accessible to internet community.

We have recent implemented FastNetMon for alerting of DDoS attacks on our network as well as automatically triggering blackhole action.  It is great to see an active community of FastNetMon users as well as a rapid pace of new features being added to the platform.  The main feature that attracted me to FastNetMon was the support for handling multiple input methods simultaneously (sflow, NetFlow and on-the-wire capture).

CEO at Tranquil Hosting,

Yefim Gasel,

The best thing about FastNetMon — it’s simple, but extremely powerful.
We use FastNetMon to analyze traffic from our border switches and make decisions on protecting our network automatically. With FastNetMon and 10 lines of bash code we decide to ban, re-route or simply do nothing with the attack while informing the customer about the issue within couple of seconds after the problem arrises.

Here at yourserver.se we run FastNetMon in highly available mode — border switches send sFlow statistics to both datacenters simultaneously, FastNetMon integrates with ExaBGP, which announces the attack destination back to the switches, marked with the BGP community we need to make the correct protection decision: either blackhole, block UDP flood or just notify the customer. We are looking into integrating FastNetMon with graphite to give our technical support team better look on the attacks and to have even better analytics.

We’d like to thank Pavel Odintsov, the creator of FastNetMon, for active and continuous development of FastNetMon and, of course, for avoiding many sleepless nights and customer complaints 🙂

First of all let me thank you for sharing FastNetMon project at github.
We have been using it for about 2 months for early detection of DDoS attacks towards our customers.
Currently we are monitoring ~ 1000 subnets and using traffic samples collected via sFlowv5 protocol configured on our core switches.

The FastNetMon is running on a virtual server with 1 CPU core (Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz) and 4 Gbps of RAM. We are monitoring only incoming traffic and do not use any scripts, bgp announcement, etc. At the moment we use it as notification tool only.
FastNetMon is great tool, efficient and reliable. Its installation is easy as a,b,c.

Zlatko Yordanov, Network Management Team,

Henry Spanka, myvirtualserver.com


myVirtualserver is a VPS hosting company and Internet Service Provider in Western Europe(Germany). We had many customers complaining about incoming DDoS attacks and packet loss, caused by outgoing DDoS of customers.
Every time a problem was reported or we noticed that the incoming/outgoing traffic is really high we needed to manually log into the host and find out what’s the problem. Sometimes we even weren’t able to log into the server because the link was completely flooded and we were forced to use the KVM over IP. If it was incoming DDoS then we had no choices and the only option was to nullroute/blackhole the customers IP. Nowadays we are using asynchronic routing. Incoming traffic is filtered by Voxility SRL and outgoing sent through several providers(Cogent, …).

FastNetMon really improved our workflow and helped us maintain a stable network. The traffic flow is exported to graphite by using FastNetMon’s sFlow implementation. Additionally the statistics(See: ATTACK_REPORT_EXAMPLE.md) the toolkit provides are automatically parsed by our system and the customer is informed about this incident. If it’s outgoing we make clear that we do not tolerate DDoS and the service may be suspended.  Additionally a report is automatically sent to the administrator’s phone(Boxcar Mail integration). In the last few days not a single outgoing attack has been detected. FastNetMon gives us insight about the several attacks targeting our network each day and we can now handle this flawlessly.If Voxility is not detecting an attack(only barely happens) we are able to respond within seconds and mitigate the attack manually. Our network statistics are in real-time thanks to FastNetMon

Attached you will find a picture of our current dashboard.In general we can say, that we’re are really happy that such a toolkit exists. Without it the daily life of every network administrator would be much harder and personally, I don’t want to spend my whole day on solving network incidents and answering tickets from concerned customers. Today I have much more time, focusing on more important things like developing new features for our hosting environment or fixing bugs. I can rest easily without hearing my phone ringing because some services are down as before. Hereby I’m thanking Pavel Odintsov for his great toolkit licensed under the GNU v2 license. Additionally we had some nice Skype conversations about other topics like OpenVZ virtualization, as be both share the same passion about container virtualization and I can’t thank him enough. Keep it up!!!

PrimeTel was looking to enhance its ability to detect and filter DDoS attacks coming into its network. Fastnetmon has shown to be the most effective solution for the job. Compared to other options, cost of integration was very competitive and we now get an insight into an attack within a minute. This allows us to activate necessary mitigating measures practically immediately.

Kleanthis Hadjisoteriou,
Chief Technology Officer, PrimeTel,

Thanks, Miguel,

We are working with Fastnetmon one month ago with +65Gb/seg and attacks all days and 569 networks, the feedback is very good, we have Arista switches on main network working with sflow.
Total number of monitored hosts (total size of all networks): 757184
We are created a provisional Web GUI to add and remove networks via HTTP but are waiting if you add this feature in the future.
Only think after 2 month working are only detect UDP flood dont say any another attack type, its possible al our attack are UDP 🙂
I want add this week MongoDB attack storage to get statistics and install influxDB with Grafana, the experiencie with Grafite after 5 hours working are slow slow, very bigger database.

We are using FastNetMon as core of our anomalies detection system (FlowSense). Its robustness helps us detect 99% attacks in less than 5 seconds which allows us efficiently mitigate them and send nice attack reports to clients.
The versatility of FastNetMon platform makes it a universal tool which can be integrated to any infrastructure, even as complex as ours. I look into further platform development and strongly recommend it for everyone concerned in fast attack detection in their networks.

Ramil Khantimirov, CEO StormWall