Merge pull request #711 from trodery/trodery-documentation-changes

Cleaning up of various documentation
This commit is contained in:
Pavel Odintsov 2018-03-01 21:26:29 +00:00 committed by GitHub
commit 2e4ac87c59
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 88 additions and 74 deletions

@ -2,12 +2,23 @@ FastNetMon Community Edition
===========
FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our networks sending or receiving large volumes of packets/bytes/flows per second. We can call an external script to notify you, switch off a server, or blackhole the client.
What do we do?
--------------
We detect hosts in the deployed network sending or receiving large volumes of traffic, packets/bytes/flows, per second and
perform a configurable action to handle that event. These configurable actions include notifying you, switching off the server, or blackholing the client.
To enable sFLOW, simply specify IP of the server running FastNetMon and specify (configurable) port 6343
To enable netflow, simply specify IP of the server running FastNetMon and specify (configurable) port 2055
What is a "flow" in FastNetMon terms? It's one or more ICMP, UDP, or TCP connections with can be identified by via its unique src IP, dst IP, src port, dst port, and protocol usage.
Integration with flow systems
-----------------------------
At a very high level integration with FastNetMon is fairly simple. In both cases the work flow is the same and the main difference being the port numbers provided. The port numbers are configurable.
#### sFLOW
Configure the IP of the server running FastNetMon using port 6343. This port number is configurable.
#### netflow
Configure the IP of the server running FastNetMon using port 2055. This port number is configurable.
What is a "flow" in FastNetMon terms? It's one or multiple UDP, TCP, or ICMP connections with unique src IP, dst IP, src port, dst port, and protocol.
License: GPLv2
@ -16,7 +27,7 @@ Project
- [Official site](https://fastnetmon.com)
- [Mailing list](https://groups.google.com/forum/#!forum/fastnetmon)
- [Slack](https://join.slack.com/t/fastnetmon/shared_invite/MjM3NDUwNzY4NjA5LTE1MDQ4MzE5NTAtYmU4MjYyYWNiZQ)
- [FastNetMon Advanced, commercial edition](https://fastnetmon.com/fastnetmon-advanced/)
- [FastNetMon Advanced, Commercial Edition](https://fastnetmon.com/fastnetmon-advanced/)
- If you want add an [idea](https://fastnetmon.fider.io/)
- Chat: #fastnetmon at irc.freenode.net [web client](https://webchat.freenode.net/)
- Detailed reference in Russian: [link](https://fastnetmon.com/wp-content/uploads/2017/07/FastNetMon_Reference_Russian.pdf)
@ -30,7 +41,7 @@ Supported packet capture engines
You can check out the [comparison table](https://fastnetmon.com/docs/capture_backends/) for all available packet capture engines.
Complete integration with following vendors
Complete integration with the following vendors
--------------------------------
- [A10 Networks Thunder TPS Appliance integration](src/a10_plugin)
- [MikroTik RouterOS](src/mikrotik_plugin) Please use only recent versions of RouterOS!
@ -44,33 +55,33 @@ Features
- Trigger block/notify script if an IP exceeds defined thresholds for packets/bytes/flows per second
- Thresholds can be configured per-subnet with the hostgroups feature
- [Announce blocked IPs](https://fastnetmon.com/docs/exabgp_integration/) via BGP to routers with [ExaBGP](https://github.com/Exa-Networks/exabgp)
- GoBGP [integration](https://fastnetmon.com/docs/gobgp-integration/) for unicast IPv4 announcements (you need build support manually).
- GoBGP [integration](https://fastnetmon.com/docs/gobgp-integration/) for unicast IPv4 announcements (you will need to build support for this manually).
- Full integration with [Graphite](https://fastnetmon.com/docs/graphite_integration/) and [InfluxDB](https://fastnetmon.com/docs/influxdb_integration/)
- API (you need build support manually)
- API (you will need to build support for this manually)
- [Redis](https://fastnetmon.com/docs/redis/) integration
- [MongoDB](https://fastnetmon.com/docs/mongodb/) integration
- Deep packet inspection for attack traffic
- Deep Packet Inspection (DPI) for attack traffic
- netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
- SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast)
- Filter NetFlow v5 flows or sFLOW packets with LUA scripts (useful for excluding particular ports)
- Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
- Works on server/soft-router
- Detects DoS/DDoS in as little as 1-2 seconds
- [Tested](https://fastnetmon.com/docs/performance_tests/) up to 10Gb with 12 Mpps on Intel i7 3820 with Intel NIC 82599
- Complete plugin support
- Captures attack fingerprints in PCAP format
- [Tested](https://fastnetmon.com/docs/performance_tests/) up to 10Gbps with 12Mpps on an Intel i7-3820 processor with an Intel 82599 NIC
- Complete plug-in support
- Capture attack fingerprints in PCAP format
- [Complete support](https://fastnetmon.com/docs/detected_attack_types/) for most popular attack types
Running Fastnetmon
------------------
### Supported platforms
- Linux (Debian 6/7/8/9, CentOS 6/7, Ubuntu 12.04, 14.04, 16.04)
- FreeBSD 9, 10, 11: [offciail port](https://www.freshports.org/net-mgmt/fastnetmon/).
- FreeBSD 9, 10, 11: [official port](https://www.freshports.org/net-mgmt/fastnetmon/).
- Mac OS X Yosemite (only 1.1.2 release)
### Supported architectures
- x86 64 bit (recommended)
- x86 32 bit
- x86 64-bit (recommended)
- x86 32-bit
### Hardware requirements
- At least 1 GB of RAM for compilation purposes
@ -80,27 +91,27 @@ Running Fastnetmon
### Distributions supported
- We are part of the [CloudRouter](https://cloudrouter.org/cloudrouter/2015/07/09/fastnetmon.html) distribution
- We are part in the [official FreeBSD ports collection](https://freshports.org/net-mgmt/fastnetmon/)
- We are part of the [official FreeBSD ports collection](https://freshports.org/net-mgmt/fastnetmon/)
- [Docker image](https://fastnetmon.com/fastnetmon-community-docker-install/)
- [Automatic install script for Debian/Ubuntu/CentOS/Fedora/Gentoo](https://fastnetmon.com/install/)
- [Automatic install script for Mac OS X](https://fastnetmon.com/fastnetmon-macos/)
- [Manual install on Slackware](https://fastnetmon.com/fastnetmon-community-slackware-install/)
- [Manual install for VyOS](https://fastnetmon.com/fastnetmon-community-install-on-vyos-1-1-5/)
- [Manual install on VyOS](https://fastnetmon.com/fastnetmon-community-install-on-vyos-1-1-5/)
Screenshoots
Screenshots
------------
Main program screenshot:
Main program:
![Main screen image](docs/images/fastnetmon_screen.png)
Example CPU load on Intel i7 2600 with Intel X540/82599 NIC at 400 kpps load:
Example CPU load on Intel i7-2600 with Intel X540/82599 NIC at 400Kpps load:
![Cpu consumption](docs/images/fastnetmon_stats.png)
Example deployment scheme:
![Network diagramm](docs/images/network_map.png)
Example of [notification email](https://fastnetmon.com/docs/attack_report_example/) about detected attack.
Example of [notification email](https://fastnetmon.com/docs/attack_report_example/) about detected attack:
Author: [Pavel Odintsov](http://uk.linkedin.com/in/podintsov/)

@ -1,24 +1,24 @@
#A10 Networks Thunder TPS Appliance Configs
# A10 Networks Thunder TPS Appliance Configs
##Base Config v1 Functionality
## Base Config v1 Functionality
1. Assumes TPS receives inbound traffic only (from the Internet to the protected service)
2. Rate Limiters (GLID) for 10gbps, 1gbps, and 100mbps provided for use
3. Basic TCP and UDP templates provided (syn-auth, UDP-auth, and low src port filter)
2. Rate Limiters (GLID) for 10Gbps, 1Gbps, and 100Mbps provided for use
3. Basic TCP and UDP templates provided (SYN-auth, UDP-auth, and low src port filter)
4. BGP configuration for auto mitigation announcements (ddos-advertise route map)
5. Base sFlow export configuration
6. All events logged in CEF format
##Basic Zone Config v1 Functionality
1. Filters L2, L3, L4 packet anomalies (consult A10 documentation for specifics
## Basic Zone Config v1 Functionality
1. Filters L2, L3, L4 packet anomalies (consult A10 documentation for specifics)
2. Drops ICMPv4, ICMPv6, and all fragments
3. Performs TCP SYN Auth for TCP dest ports 21,22,25,53,80,110,143,443,587,993,995,5060,5061
4. Filters well-known UDP SRC ports
4. Filters well-known UDP src ports
5. Performs UDP Auth for UDP dest port 53
6. blocks all other traffic
7. Creates a "incident" in the TPS GUI when seeing any packets to these dest ports.
6. Blocks all other traffic
7. Creates an "incident" in the TPS GUI when seeing any packets to these dest ports
## These are just examples. Current plugin does not receive rate info from FNM. Future revisions will
Author: Eric Chou ericc@a10networks.com, Rich Groves rgroves@a10networks.com
## These are just examples. Current plug-in does not receive rate info from FNM but future revisions will
Authors: Eric Chou ericc@a10networks.com, Rich Groves rgroves@a10networks.com
Feedback and Feature Requests are Appreciated and Welcomed.
Feedback and feature requests are appreciated and welcomed.

@ -1,4 +1,4 @@
##Sample Test Output
## Sample Test Output
```
echou@a10-ubuntu3:~/fastnetmon/src/a10_plugin/tests$ python helperTests.py

@ -2,15 +2,15 @@
.\" Contact pavel.odintsov@gmail.com to correct errors or typos.
.TH man 1 "04 Jun 2015" "1.1.2" "fastnetmon man page"
.SH NAME
FastNetMon \- a high performance DoS/DDoS load analyzer built on top of multiple packet capture
FastNetMon \- a high performance DoS/DDoS load analyzer built on top of multiple packet capture engines
.SH SYNOPSIS
fastnetmon [--daemonize]
.SH DESCRIPTION
FastNetMon - a high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).
For more information about configuration please look at comments in /etc/fastnetmon.conf and check GitHub page: https://github.com/pavel-odintsov/fastnetmon.
For more information about configuration, please look at the comments in /etc/fastnetmon.conf and check the project GitHub page: https://github.com/pavel-odintsov/fastnetmon.
.SH OPTIONS
The fastnetmon has only single command line option --daemonize which used for forking and detaching it from the terminal.
fastnetmon has only a single command line option --daemonize which is used for forking and detaching it from the terminal.
.SH SEE ALSO
fastnetmon_client(1)
.SH BUGS

@ -6,7 +6,7 @@ fastnetmon_client \- show information about top talkers and detected DDoS attack
.SH SYNOPSIS
fastnetmon_client
.SH DESCRIPTION
It's client interface for monitoring fastnetmon(1) DDoS detection toolkit.
Client interface for monitoring fastnetmon(1) DDoS detection toolkit.
.SH OPTIONS
No options here
.SH SEE ALSO

@ -0,0 +1,37 @@
MikroTik FastNetMon plug-in
===========
Overview
--------
Connects to a MikroTik router and adds or removes a blackhole rule for an attack by IP address.
The actions can be modified such as adding a firewall rule.
This script uses the MikroTik PHP API. More information about this can be found at the following URLs:
* http://www.mikrotik.com
* http://wiki.mikrotik.com/wiki/API_PHP_class
Installation
------------
#### Prerequisite
You must have a user with API access on the router
#### Process
1. Configure the router in the ```fastnetmon_mikrotik.php``` file
```
$cfg[ ip_mikrotik ] = "192.168.10.1"; // MikroTik Router IP
$cfg[ api_user ] = "api"; // username
$cfg[ api_pass ] = "api123"; // password
```
2. Change the ```notify_about_attack.sh``` with the new to run the PHP script
This is the first buggy version, you are welcome to add more features.
Changelog
---------
v1.0 - 4 Jul 16 - Initial version
Author: Maximiliano Dobladez info@mkesolutions.net
http://maxid.com.ar | http://www.mkesolutions.net

@ -1,34 +0,0 @@
Fastnetmon Plugin: MikroTik RouterOS PHP API integration for FastNetMon
This script connect to router MikroTik and add or remove a blackhole's rule for the IP attack.
You can modify the action, ex add a firewall rule, etc.
This script use PHP API for MikroTik:
* http://www.mikrotik.com
* http://wiki.mikrotik.com/wiki/API_PHP_class
v1.0 - 4 Jul 16 - initial version
Author: Maximiliano Dobladez info@mkesolutions.net
http://maxid.com.ar | http://www.mkesolutions.net
** instalation
* You must to have an user with API access on the router MikroTik.
* Set the router's config on fastnetmon_mikrotik.php file
$cfg[ ip_mikrotik ] = "192.168.10.1"; // IP Mikrotik Router
$cfg[ api_user ] = "api"; //user
$cfg[ api_pass ] = "api123"; //pass
* Change the notify_about_attack.sh file with the new to run the php script
**
This is the first buggy version, you are welcome to add more feature.

@ -1,4 +1,4 @@
### Here you could find nice scripts for subnet's collection from the BGP router server
### Here you can find some nice scripts for subnet's collection from the BGP route server
- Clone ExaBGP master's repository:
```bash
@ -19,5 +19,5 @@ chmod +x /usr/local/bin/bgp_network_retriever.py /usr/local/bin/bgp_network_coll
cd /usr/src/exabgp
env exabgp.log.level=DEBUG exabgp.daemon.user=root exabgp.tcp.bind="0.0.0.0" exabgp.tcp.port=179 exabgp.daemon.daemonize=false exabgp.daemon.pid=/var/run/exabgp.pid exabgp.log.destination=/var/log/exabgp.log exabgp /etc/exabgp_network_collector.conf
```
- Wait few minutes while all announces received (depends on router server size)
- Wait a few minutes while all route announcements are received (depends on router server size)
- Retrieve learned networks from database (/var/lib/bgp_network_collector.db): ```python /usr/local/bin/bgp_network_retriever.py```