
FastNetMon – very fast DDoS analyzer - snehesht
https://github.com/pavel-odintsov/fastnetmon
======
ryanlol
>What can we do? We can detect hosts in our networks sending or receiving
large volumes of packets/bytes/flows per second. We can call an external
script to notify you, switch off a server, or blackhole the client.

Watch out when implementing this stuff, it goes wrong way too often. At this
point I have hard time not literally screaming at DC techs when my servers get
suspended for "UDP flooding"[1] each other.

[1] Otherwise known as OpenVPN

------
pavel_odintsov
Btw, I recommend to use project's site, it's much times more informative than
GitHub repository: [https://fastnetmon.com](https://fastnetmon.com)

~~~
oneeyedpigeon
Bizarrely, that site disables not only my trackpad for scrolling, but also my
cursor keys. I have to drag my pointer over to the scrollbar and move the page
that way, like it's 1995.

~~~
pavel_odintsov
We are working on it, will fix soon!

~~~
zzzcpan
While you are at it, maybe make it work without javascript as well? Not
everyone has it enabled for untrusted web sites, especially here.

~~~
pavel_odintsov
Sorry, it's very-very complicated to get it working without javascript.

------
rmdoss
That's from a CloudFlare DNS Engineer -- someone that knows and likely handles
DDoS on a daily basis.

~~~
zzzcpan
That was before cloudflare. But good to know he works there now.

~~~
pavel_odintsov
Correct, I'm DNS guy right now :)

~~~
jedisct1
Congrats, Pavel!

~~~
pavel_odintsov
Thanks!

------
topranks
Looks very nice. At my last place one of the enineers made something similar
based on netflow and it worked really well, integrated with FlowSpec for
mitigation.

Might give it a look.... even the screenshot of the real time top talkers
looks like something interesting for the NOC to have up.

------
djfergus
Impressive performance and integration. What proprietary products is this
disrupting?

~~~
djkrul
None, but it's a nice alternative for those on a small budget who would
otherwise have nothing at all.

~~~
djfergus
Ok, so whats missing? What does the company that bridges that gap look like?

"This personal computer looks like a nice alternative for companies with a
small budget for a mainframe who would otherwise have nothing at all"

~~~
djkrul
FastNetMon is kind of a hammer: inbound traffic to $x is exceeding bps or pps
threshold -> trigger mitigation for $x (i.e. a remote blackhole). This is
generally good enough to defend against the least sophisticated and most
common attacks such as NTP, SSDP, DNS amplification attacks. Then there's a
long tail of other attack types are not volumetric in nature and are more
difficult to detect. That's a big part of what you pay for when you buy a
commercial solution.

Then once an attack has been identified you want to specify mitigation
policies: Customer A gets full mitigation, but customer B needs to be
blackholed instead. If an attack is smaller than 10Gbps you want to simply
insert some flowspec rules into your edge routers, but if the attack pattern
is too random you will have to redirect a /32 to a specialized scrubbing
device instead. Larger attacks you might want to announce through a DDoS
protection service so you announce the /24 containing that IP address to your
DDoS protection service to reduce bandwidth on your own uplinks, and so on. I
could go on, I hope you get the idea :)

~~~
djfergus
Got it thanks. Interesting. So do the usual router suspects (Cisco, Juniper
etc) own this market? Does Google/AWS roll their own solutions? Any
interesting startups taking them on?

~~~
lafay
Arbor Networks (now part of Netscout) is the incumbent in this area. Kentik is
the disruptive SaaS-based startup.

~~~
pavel_odintsov
Radware, Nsfocus, A10 Networks also here.

------
bawana
is there anything like this for windows?? (please dont hate me)

~~~
pavel_odintsov
You could run FastNetMon on Windows 10 with Linux environment and Docker. We
have happy users with such install :)

------
vicentedeluca
+1 happy user here

~~~
pavel_odintsov
Thanks Vicente!

