
Open source DDoS detection tool with BGP support - nuclearcatlb
https://fastnetmon.com/install/
======
j32ms
FastNetMon is a life saver. First installed it when there was no paid /
advanced version just to blackhole hosts under attack. Then negotiated with
our upstream provider to have BGP Flowspec support e.g. block specific types
of traffic.

Back then, UDP Amplification attacks were scariest of them all and FastNetMon
was able to send Flowspec announcements to our upstream to block, for
instance, traffic to UDP/53 port, which kept the host alive most of the times.

------
pavel_odintsov
Thank you for sharing! I'm one of the FastNetMon authors and I will be happy
to answer any questions about it.

------
pushaaaaa
Hello! What kind of strategies do you use to detect false positives? What
advice would you give to avoid them?

~~~
pavel_odintsov
Thank you for great question! Unfortunately, false positive alerts are pretty
common problem. FastNetMon is threshold / baseline based DDoS detection engine
and it requires pretty careful baseline calculation.

Typically, we recommend enabling InfluxDB metrics export for ~1 week (to cover
peak times in your region), you can do it this way:
[https://fastnetmon.com/docs/influxdb_integration/](https://fastnetmon.com/docs/influxdb_integration/)

After that, you can make query to detect peak traffic for packets per second,
bytes per second and flow per second metrics. Then you can multiply these
value to 2-3 (depends on your capacity) and use as baseline.

Also, it's very good to known limits of your network. For example, if you know
that router cannot handle more than 1M packets per second then you need to set
threshold way before it. And most important thing is mount of spare capacity
from your upstream. If you have only 10G of external capacity utilised up to
90% then your baseline should not exceed amount of your spare capacity.

