
Fastnetmon DDoS analyzer now available as an official Debian package - pavel_odintsov
https://packages.debian.org/sid/fastnetmon
======
rmoriz
[https://github.com/pavel-
odintsov/fastnetmon#readme](https://github.com/pavel-
odintsov/fastnetmon#readme)

"What can we do? We can detect hosts in our networks sending or receiving
large volumes of packets/bytes/flows per second. We can call an external
script to notify you, switch off a server, or blackhole the client.

…

Why did we write this? Because we can't find any software for solving this
problem in the open source world!

What is a "flow" in FastNetMon terms? It's one or multiple UDP, TCP, or ICMP
connections with unique src IP, dst IP, src port, dst port, and protocol."

~~~
jsmthrowaway
That’s a flow in general, and isn’t specific to FastNetMon.

~~~
aexaey
A flow is defined as a unidirectional sequence of packets with some common
properties that pass through a network device. [...] for example, flow records
include details such as IP addresses, packet and byte counts, timestamps, Type
of Service (ToS), application ports, input and output interfaces, etc.

From here:
[https://tools.ietf.org/html/rfc3954](https://tools.ietf.org/html/rfc3954)

------
feld
And if you're on a FreeBSD box, just pkg install fastnetmon

Glad to see this software exists. Had to help build a poor man's version of it
at a previous job and it was half baked due to lack of time.

~~~
pavel_odintsov
Yes, thanks for highlighting it! :) FreeBSD port exists for ~2 years:
[https://www.freshports.org/net-
mgmt/fastnetmon/](https://www.freshports.org/net-mgmt/fastnetmon/)

------
lqet
Is there any documentation how to set this up fast and reliably on an existing
Debian server? The only thing I could find was this:
[https://fastnetmon.com/wp-
content/uploads/2017/03/FastNetMon...](https://fastnetmon.com/wp-
content/uploads/2017/03/FastNetMon-Advanced-install-guide-v1.pdf)

~~~
mtreis86
[https://github.com/pavel-
odintsov/fastnetmon/blob/master/doc...](https://github.com/pavel-
odintsov/fastnetmon/blob/master/docs/INSTALL.md)

~~~
pavel_odintsov
Thanks :)

------
pksadiq
Hi. I have a doubt regarding the license[0].

Aren't GPLv2 and Apache v2 licenses incompatible. How can they co-exist in the
same project? (The copyright file says GPLv2, or is it GPLv2+?)

[0] [http://metadata.ftp-
master.debian.org/changelogs/main/f/fast...](http://metadata.ftp-
master.debian.org/changelogs/main/f/fastnetmon/fastnetmon_1.1.3+dfsg-1_copyright)

~~~
pavel_odintsov
I think that we do not have Apache licensed code in project, it's just
protocol description for protobuf: [https://github.com/pavel-
odintsov/fastnetmon/blob/2005b4e94e...](https://github.com/pavel-
odintsov/fastnetmon/blob/2005b4e94e5af628b95d3102384c2a792da34046/src/actions/gobgp_api_client.proto)

And it's not used by version available in Debian repositories at all (just
some experiments).

The project itself licensed strictly in terms of GPLv2 (not GPLv2+).

~~~
pavel_odintsov
After short conversation with GoBGP project they re-lcienses this file in BSD
terms:
[https://github.com/osrg/gobgp/issues/1384](https://github.com/osrg/gobgp/issues/1384)

We will update proto file to this version in FastNetMon soon! :)

------
majke
I wonder if [https://fastnetmon.com/](https://fastnetmon.com/) and DOTS [1]
are roughly the same thing?

[1]
[https://datatracker.ietf.org/wg/dots/about/](https://datatracker.ietf.org/wg/dots/about/)

~~~
pavel_odintsov
FastNetMon does not implement DOTS yet. Instead, we support API for scrubbing
centres/boxes directly.

~~~
bogomipz
Are there some good open source scrubbing center projects you might be able to
recommend?

Also might you have any resources or links to how these scrubbing services are
implemented, what heuristics they use etc?

I understand the front end of DDOS mitigation i.e netflows, BGP communities
and RTBH, and GRE tunnels to the scrubbing centers. However the details of how
the scrubbing centers works is something of a mystery to me.

When looking at any of the big DDOS provider's literature, the scrubbing
centers are mostly just opaque boxes with little documentation on how they
actually work.

~~~
pavel_odintsov
You could consider this thing [https://github.com/luigirizzo/netmap-
ipfw](https://github.com/luigirizzo/netmap-ipfw)

~~~
bogomipz
Thanks, unfortunately the documentation about the project is rather scant.

~~~
pavel_odintsov
You could read my blog post about it instead:
[https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=h...](https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fwww.stableit.ru%2F2015%2F03%2Flinux-
netmap-ipfw.html)

It's in russian but Google trsnalate crashes language baarriers! :)

~~~
bogomipz
Thanks! This is helpful. I like your blog name, I'm assuming that translation
is correct :)

------
fulafel
What's generally the state of the art in open source home/small office network
monitoring? I would like to know and query/audit communication patterns of my
devices. While maintaining privacy -> no cloud based commercial products.

~~~
_e
check out pfsense ([https://www.pfsense.org/](https://www.pfsense.org/)) along
with the following books:

Practice of Network Security Monitoring -
[https://www.nostarch.com/nsm](https://www.nostarch.com/nsm)

& Tao of Network Security - [http://www.informit.com/store/tao-of-network-
security-monito...](http://www.informit.com/store/tao-of-network-security-
monitoring-beyond-intrusion-9780321246776)

~~~
fulafel
Thanks. Sounds pretty hard if you're not a networking expert, and just have a
cable modem plus wifi box. There's definitely a space for an easy to install
solution here. Raspberry Pi based perhaps?

------
pavel_odintsov
Btw, we have the channel at Freenode! Join us: #fastnetmon at
irc.freenode.net! :)

------
m00dy
I'm looking for the same solution for syscalls. Therefore, we can detect
malicious processes. Isn't that cool ?

~~~
pavel_odintsov
I tried to play with slightly similar idea previously:
[https://github.com/FastVPSEestiOu/Antidoto](https://github.com/FastVPSEestiOu/Antidoto)
but decided to keep my eyes on DDoS mitigation only.

