FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.
License: GPLv2
Author: Pavel Odintsov pavel.odintsov at gmail.com Follow my Twitter
- Mailing list
- Roadmap
- Release Notes
- Chat: #fastnetmon at irc.freenode.net web client
- Please fill survey, we need your voice!
- Detailed reference in Russian: link
- NetFlow v5, v9
- IPFIX
- v4 (dev branch only), v5
- Port mirror/SPAN capture with PF_RING (with ZC/DNA mode support need license), SnabbSwitch, NETMAP and PCAP
You could look comparison table for all available packet capture engines.
- Complete BGP Flow Spec support, RFC 5575
- Can process incoming and outgoing traffic
- Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
- Thresholds could be configured in per subnet basis with hostgroups feature
- Could announce blocked IPs to BGP router with ExaBGP
- GoBGP integration for unicast IPv4 announces
- Full integration with Graphite and InfluxDB
- Redis integration
- MongoDB integration
- Deep packet inspection for attack traffic
- netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
- SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast)
- Could filter out NetFLOW v5 flows or sFLOW packets with script implemented in LUA (useful for port exclude)
- Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
- Can work on server/soft-router
- Can detect DoS/DDoS in 1-2 seconds
- Tested up to 10GE with 12 Mpps on Intel i7 3820 with Intel NIC 82599
- Complete plugin support
- Could capture attack fingerprint in pcap format
- Have complete support for most popular attack types
- Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
- FreeBSD 9, 10, 11
- Mac OS X Yosemite
- x86 64 bit (recommended)
- x86 32 bit
- We are part of CloudRouter distribution
- We are part of official FreeBSD ports, manual install
- Amazon AMI image
- VyOS based iso image with bundled FastNetMon
- Docker image
- Binary rpm packages for CentOS 6/7 and Fedora 21
- Automatic install script for Debian/Ubuntu/CentOS/Fedora/Gentoo
- Automatic install script for Mac OS X
- Manual install on Slackware
- Manual install for VyOS
What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.
Main program screen image:
Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load:
Example of notification email about detected attack.
To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.
Why did we write this? Because we can't find any software for solving this problem in the open source world!
- We are looking for maintainer for Debian and Fedora/EPEL packages
- Test it!
- Share your experience
- Share your use cases
- Share your improvements
- Test it with different equipment
- Create feature requests