bccc10d50d
Added support for host addresses in whitelist. Closes #682 |
||
---|---|---|
.github | ||
debian | ||
docs | ||
src | ||
.gitignore | ||
.travis.yml | ||
HAPPY_CUSTOMERS.md | ||
LICENSE | ||
README.md | ||
THANKS.md |
Community Edition
FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFlow, SnabbSwitch, netmap, PF_RING, PCAP).
What do we do?
We detect hosts in the deployed network sending or receiving large volumes of traffic, packets/bytes/flows, per second and perform a configurable action to handle that event. These configurable actions include notifying you, switching off the server, or blackholing the client.
What is a "flow" in FastNetMon terms? It's one or more ICMP, UDP, or TCP connections with can be identified by via its unique src IP, dst IP, src port, dst port, and protocol usage.
Integration with flow systems
At a very high level integration with FastNetMon is fairly simple. In both cases the work flow is the same and the main difference being the port numbers provided. The port numbers are configurable.
sFlow
Configure the IP of the server running FastNetMon using port 6343. This port number is configurable.
Netflow
Configure the IP of the server running FastNetMon using port 2055. This port number is configurable.
License: GPLv2
Official mirror at GitLab
Project
- Official site
- Mailing list
- Slack
- FastNetMon Advanced, Commercial Edition
- If you want add an idea
- Chat: #fastnetmon at irc.freenode.net web client
- Detailed reference in Russian: link
Supported packet capture engines
- NetFlow v5, v9
- IPFIX
- v4 (since 1.1.3), v5
- Port mirror/SPAN capture with PF_RING (with ZC/DNA mode support need license), SnabbSwitch, NETMAP and PCAP
You can check out the comparison table for all available packet capture engines.
Complete integration with the following vendors
- A10 Networks Thunder TPS Appliance integration
- MikroTik RouterOS Please use only recent versions of RouterOS!
Features
- Complete BGP Flow Spec support, RFC 5575
- Process and distinguish incoming and/or outgoing traffic
- Trigger block/notify script if an IP exceeds defined thresholds for packets/bytes/flows per second
- Thresholds can be configured per-subnet with the hostgroups feature
- Announce blocked IPs via BGP to routers with ExaBGP
- GoBGP integration for unicast IPv4 announcements (you will need to build support for this manually).
- Full integration with Graphite and InfluxDB
- API (you will need to build support for this manually)
- Redis integration
- MongoDB integration
- Deep Packet Inspection (DPI) for attack traffic
- netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
- SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast)
- Filter NetFlow v5 flows or sFLOW packets with LUA scripts (useful for excluding particular ports)
- Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
- Works on server/soft-router
- Detects DoS/DDoS in as little as 1-2 seconds
- Tested up to 10Gbps with 12Mpps on an Intel i7-3820 processor with an Intel 82599 NIC
- Complete plug-in support
- Capture attack fingerprints in PCAP format
- Complete support for most popular attack types
Running Fastnetmon
Supported platforms
- Linux (Debian 6/7/8/9, CentOS 6/7, Ubuntu 12.04, 14.04, 16.04)
- FreeBSD 9, 10, 11: official port.
- Mac OS X Yosemite (only 1.1.2 release)
Supported architectures
- x86 64-bit (recommended)
- x86 32-bit
Hardware requirements
- At least 1 GB of RAM for compilation purposes
Router integration instructions
Distributions supported
- We are part of the CloudRouter distribution
- We are part of the official FreeBSD ports collection
- Docker image
- Automatic install script for Debian/Ubuntu/CentOS/Fedora/Gentoo
- Automatic install script for Mac OS X
- Manual install on Slackware
- Manual install on VyOS
Screenshots
Main program:
Example CPU load on Intel i7-2600 with Intel X540/82599 NIC at 400Kpps load:
Example of notification email about detected attack:
Author: Pavel Odintsov