23.08.2016

Publications

anuragbhatia.com
Ultra fast automated DDoS detection & mitigation

A few weeks back an Indian ISP contacted me via a contact form on my blog. That ISP has been struggling with a targetted DDoS attack. For the reason of privacy as well as the stability of their network, I will not put their name or AS number. The attack on that ISP was much higher than their bandwidth levels. Their upstream did not really share the volume of attack but I could tell from the screenshots they shared was that it was distributed volumetric attack choking their upstream bandwidth. Read more

geant.org logoGARR customer triggered blackholing

From discussions with the GARR working group on “contrast to DDoS”, we understood the importance of a collaboration between GARR and its users to mitigate attacks. With the other components of the group, some open source tools for detecting DDoS and related reporting have been studied and tested. From these analyzes came the idea of developing a possible mitigation system to be implemented jointly with users. The solution found is simple to implement and does not provide for high economic expense. This mitigation system could be extended up to Géant network…Read more

sami.pw logoHow to detect & mitigate (D)DoS Attacks using FastNetMon

Recently i was researching a lot on the various denial of service attacks and how to mitigate them from Layer 1 to 7 and as always the most convinient way to stop any attacks is keeping the bad requests/traffic away from your services starting from the first layers of the ISO/OSI model…Read more

MikroTic forum logoFastNetMon Integration with MikroTik (DDoS detection software)

This guide will show you how to install and configure FastNetMon to be used with MikroTik and also as a bonus how to integrate it with Slack and Grafana, the first one is used to get reports about DDoS and the second one to have a really great reporting tool that will allow you to check PPS and Throughput as a whole and per IP address…Read more

LinkedinMetrics and events collection in Ingenico Payment Services

I work at Ingenico Payment Services as an Infrastructure Manager, in a Business Unit called Axis, a card present payment processing platform. The growth of the processing on the platform year over year is double digit and in infrastructure, one has often to answer tricky questions like: Why did yesterday batch finish late ? Do we have enough capacity for hosting this new application ? Why didn’t we detect this anomaly ? This application is slow, can you add more CPU (whatever that means) ? When will we need to buy new servers/storage/switches/routers and how much will it cost ?.. Read more

blog.phoenixlzx.comNetFLOW / sFLOW 流量报告:FastNetMon + InfluxDB + Grafana

最近稍微有点时间折腾了下 Cisco 的三层交换,尝试搭建了一套数据中心用的流量统计/监控/报告系统。过程不是很复杂,但是也只算利用了一套高级软件组合的一点点功能。之后打算继续研究更多的功能实现,不过也要看有没有时间了… Read more

pontoisp.com.brA evolução dos ataques de negação de serviço (DoS). Seu provedor está preparado?

Os ataques de negação de serviço, do inglês Denial of Service (DoS), são uma preocupação constante dos administradores de redes e devem ser objeto de muita atenção dos provedores de acesso à internet. Os ataques ocorrem, geralmente, quando uma rede ou aplicação são sobrecarregadas por um volume de tráfego ou processamento anormal, provocados intencionalmente para prejudicar a disponibilidade de um serviço. Read more

circleid.comMitigating DDoS

Your first line of defense to any DDoS, at least on the network side, should be to disperse the traffic across as many resources as you can. Basic math implies that if you have fifteen entry points, and each entry point is capable of supporting 10g of traffic, then you should be able to simply absorb a 100g DDoS attack while still leaving 50g of overhead for real traffic (assuming perfect efficiency, of course — YMMV). Dispersing a DDoS in this way may impact performance — but taking bandwidth and resources down is almost always the wrong way to react to a DDoS attack. Read more

seflow.comHow to simplify DDoS monitoring on your network – Aggregated and Fastnemon, yuppiii!

Infrastructure DDoS Protection helps large enterprises, ISPs, small and medium businesses, and even the casual gamers protect their services availability. In the event of an attack, traffic is rerouted through SeFlow’s scrubbing centers using BGP announcements or API Call. From that point on, SeFlow advertises IP range and start protecting it.
All incoming network traffic is inspected and filtered, and only legitimate traffic is securely forwarded to the enterprise network via GRE tunneling. Read more

ciscode.netBGP BLACKHOLE Community

DDoS attacks continue to be a wide-spread problem on the internet. Their size has grown over the past few years to where BGP Blackholing to reduce collateral damage has become widespread.
As more and more networks built support for BGP Blackholing – each with their own BGP community – it became clear that there was a need for a standardized “well known” community for BGP Blackholing. From this need was born RFC 7999: BLACKHOLE Community. This reserves 65535:666 as the well known, BLACKHOLE. Read more

maxid.com.arFastNetMon: Detectando y protegiéndonos de ataques DDoS

Uno de los gajes del oficio del networking y en especial de los ISP son los ataques de Denegación de Servicio Distribuida DDoS.
Hay varias maneras de protegerse, las mejores o con mas opciones son pagas y con elevados costos de licenciamiento. Un proyecto OpenSource (GNU GPLv2) que lo inicio un amigo de Rusia (Pavel Odintsov) llamado FastNetMon es una buena opción como alternativa gratuita. Read more

globalsignHow to Prevent DDoS Attacks on a Cloud Server Using Open Source Software

A Distributed Denial of Service Attack (DDoS) is, unfortunately, an increasingly common form of premeditated attack against an organization’s web infrastructure.
Typically, it involves using multiple external systems to flood the target system with requests with the intention of overwhelming the system with network traffic. These attacks work because an unprotected system may find it difficult to differentiate between genuine traffic and DDoS traffic. Read more

cloudrouter.orgUse FastNetMon With Your CloudRouter Distribution

CloudRouter distributes FastNetMon, a high performance DoS/DDoS load analyzer built on top of multiple packet capture engines, including NetFlow, IPFIX, sFLOW, netmap, PF_RING, and PCAP. FastNetMon is distributed under the GPLv2 license. The project is led by Pavel Odintsov, CTO at FastVPS in beautiful Saint Petersburg, Russia.
FastNetMon detects hosts in a network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. It can call an external script to notify people or automate an action such as switching off a server or moving the client to a blackhole. Read more
<

lowendtalk.comFastNetMon – open source DDoS detection new release 1.1.2

Hello, folks!
This article will continue http://www.lowendtalk.com/discussion/43473/open-source-ddos-dos-monitoring-toolkit-fastnetmon
We have spent about 10 months for development of FastNetMon and could present huge feature list now! 🙂
Stop! What is FastNetMon? It’s really very fast toolkit which could find attacked host in your network and block it (or redirect to filtering appliance) Read more

lowendtalk.comOpen source DDoS/DoS monitoring toolkit – FastNetMon

Hello, folks!
I would like to share my DDoS monitoring toolkit with community. You can find it on GitHub: https://github.com/FastVPSEestiOu/fastnetmon
It supports Linux (Centos 5/6, Debian 6/7), FreeBSD 9/10/11 and Mac OS X since Yosemite. It provide ability to detect bandwidth, flow and pps (packet per second) spikes which last more than X seconds and trigger action agains IP which generated this issue (our own IP, not an attacker IP). Read more

pir8geek.comFastNetMon – Very Fast DDoS Analyzer with Sflow/Netflow/Mirror Support

FastNetMon – A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client. Read more

n0where.netHigh Performance DoS Analyzer: FastNetMon

FastNetMon – this high performance DoS analyzer and netflow load analyser was build on top of multiple packet capture engines (PF_RING, sFLOW, Netflow, PCAP). What can we do with it ? We can detect hosts on our network that are sending (or receiving) huge amount of packets per second/bytes per second of outgoing ( or incoming ) traffic to ( or from ) a certain hosts. And then we can call external script which can then perform an action like [ie] send notify, switch off server or blacklist bad behaving client/host. Read more

kitploit.comFastNetMon – Very Fast DDoS Analyzer with Sflow/Netflow/Mirror Support

A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client. Read more

rstforums.comFastNetMon – DDoS analyzer

FastNetMon – A high performance DoS/DDoS and netflowk load analyzer built on top of multiple packet capture engines (netmap, PF_RING, sFLOW, Netflow, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.
Why did we write this? Because we can’t find any software for solving this problem in the open source world! Read more

digitalmunition.meFastNetMon – Very Fast DDoS Analyzer with Sflow/Netflow/Mirror Support

A high performance DoSern9B9El.pngDDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per secondern9B9El.pngbytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client. Read more

cloudrouter.orgCloudRouter 2.0 Beta Launches
First to Market with OpenDaylight Lithium

“I’m excited that FastNetMon is now included in the CloudRouter Project,” said Pavel Odinstov, head of the FastNetMon Project and CTO of FastVPS. “The project is a benefit to the open source community and network operators looking for an open source router. As the new version includes FastNetMon for the first time, I encourage people interested in DDoS and DoS mitigation with FastNetMon to look at the CloudRouter Project.” Read more

blogger.comTools: FastNetMon – high performance DoS/DDoS analyzer with sflow/netflow/mirror support

FastNetMon – A high performance DoS/DDoS and netflowk load analyzer built on top of multiple packet capture engines (netmap, PF_RING, sFLOW, Netflow, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client. Read more

habrahabr.ruРелиз FastNetMon 1.1.2 открытого решения для мониторинга DoS/DDoS атак

За прошедшие почти 10 месяцев с релиза 1.0.0 была очень большая работа по улучшению программы.
Из основных изменений стоит отметить следующие:

  • Возможность выявлять самые популярные виды атак: syn_flood, icmp_flood, udp_flood, ip_fragmentation_flood
  • Добавление поддержки протокола Netflow, поддерживаются 5, 9 и 10 (IPFIX) версии Read more

linux.org.ruFastNetMon 1.0.0 — программа для выявления входящих/исходящих атак

Хотел бы поделиться своей программой для анализа проходящего миррор-порты/роутеры/OpenVZ ноды трафика на предмет входящих/исходящих DDoS атак.

  • Для чего она писалась? Чтобы фиксировать серьезные всплески в сотни kpps по полосе/pps как со стороны клиентов, так и со стороны интернета в сторону клиентов.
  • Что выдает? Выдает топ 10 самых активных потребителей ресурсов сети, выборки топ 10 можно делать как по pps так и по трафику. Read more

opennet.ruFastNetMon 1.0.0 – программа для выявления входящих/исходящих DDoS-атак

Доступен релиз программы FastNetMon 1.0.0, предназначенной для выявления входящих и исходящих DDoS-атак на основе анализа транзитного трафика. Программа разработана для фиксации серьезных всплесков интенсивности отправки пакетов (сотни тысяч пакетов в секунду), как со стороны клиентов, так и со стороны внешней сети в сторону клиентов. Данные о трафике могут собираться через PF_RING (рекомендуется), PCAP (не рекомендуется) и ULOG2 (не рекомендуется). Read more

opennet.ruРелиз FastNetMon 1.1.2, открытого решения по обнаружению DDoS-атак

Состоялся релиз программы FastNetMon 1.1.2, предназначенной для выявления входящих и исходящих DDoS-атак на основе анализа транзитного трафика. Программа разработана для фиксации серьезных всплесков интенсивности отправки пакетов (сотни тысяч пакетов в секунду), как со стороны клиентов, так и со стороны внешней сети в сторону клиентов. Данные о трафике могут собираться через PF_RING, PCAP, ULOG2, Netmap, NetFlow, sFLOW. На выходе выводится список 10 самых активных потребителей ресурсов сети, как по числу пакетов в секунду, так и по трафику. Для хранения статистики используется БД Redis. Программа написана на языке C++. Read more

stableit.ruFastNetMon – решение для высокоскоростного анализа трафика и блокировки узлов, на которые идет DDoS атака

Данная задача крайне часто встает в моей практике и, к сожалению, не имеет ни красивых ни удобных, ни вообще каких-либо решений.
Что мы делаем? Мы работаем через PF_RING и на очень высокой скорости извлекаем транзитные либо входящие пакеты идущие на нашу машину либо крупную сеть. Приложение написано на С++ и может работать до очень и очень серьезных нагрузок, 10-15 Gbps или 2-5 Mpps – это нормально. Как только на один из узлов pps превышает заданный порог, то запускается скрипт, который банит клиента либо передает сообщение группе администраторов. Read more

blogger.com昨天看到這個工具還不錯 fastnetmon

可以使用netflow sflow port mirror的資料來計算pps mbps 及flow數
當到達指定的上限時
可以發出告警或執行特定動作
安裝很簡單
裝好centos 7後 Read more

freebuf.com高效的DDoS攻击探测与分析工具 – FastNetMon

FastNetMon这是一个基于多种抓包引擎(NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP)的DoS/DDoS攻击高效分析工具,可以探测和分析网络中的异常流量情况,同时可以通过外部脚本通知或阻断攻击。Read more

under-linux.orgFastNetMon: Analisador DDoS de Alta Performance com Suporte a Sflow/Netflow/Mirror

FastNetMon é um utilitário que funciona como um analisador de alta performance, voltado para DoS/DDoS. Ele foi projetado a partir de vários mecanismos de captura de pacotes (NetFlow, IPFIX, sFlow, netmap, PF_RING, PCAP). Com ele, é possível detectar guests em sua própria rede, com uma grande quantidade de pacotes por segundo/bytes por segundo ou fluxo por segundo de entrada ou saída de certos hosts. E além disso, também é possível estabelecer comunicação com um script externo que pode notificá-lo e desligar um servidor. Read more

maxid.com.arUn Sanjuanino en Rio Cuarto

Ha pasado mucho tiempo desde la última vez que postee y el motivo del descuido tanto de mi blog como de las redes sociales se debe a los nuevos proyectos que he iniciado y me consume mucho tiempo.
En estos momento me encuentro con varios proyectos en desarrollo, uno de ellos es FastNetMon, un sistema de detección y protección contra ataques DDoS utilizando Netflow. Este proyecto de código abierto (GNU GPLv2) permite detectar lo mencionado anteriormente; mi aporte al proyecto es la integración con MikroTik RouterOS para tomar las medidas de protección contra los ataques. Read more

hackernet.seFastNetMon

High performance DoS/DDoS load analyzer. Kan lyssna på bl.a. Netflow, IPFIX, sFLOW, PCAP, SPAN och PF_RING. Om en överbelastningsattack upptäcks exekveras ett script. Vad scriptet gör avgör man själv, t.ex. maila/SMSa admin eller null routa prefix med ExaBGP. Read more