DDOS, IDS, RTBH, and Rate limiting

Pavel Odintsov pavel.odintsov at gmail.com
Thu Nov 20 21:36:07 UTC 2014


Hello, folks!

I'm author of fastnetmon, thank you for some PR for my toolkit :)

I use this tool for similar type of attacks and we do analyze all
traffic from uplinks ports using port mirroring. You can look at this
network diagram:
https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master/network_map.png

I tried to use netflow many years ago but it's not accurate enough and
not so fast enough and produce big overhead on middle class network
routers. It's because I wrote this tool and do every packet analyze.
It can detect attack in 2 seconds max and call BGP blackhole as quick
as thought.

It can detect three types of attacks:
1) Speed attack for certain IP (we ban every IP which exceed 1 Gbps)
2) Packet per second attack for certain IP (we ban every IP which
exceed 100 000 ppps)
3) And flow flood (very useful mode in networks with big bandwidth/pps
per client)

FastNetMon can handle 2-3 million of packets per second and ~20Gbps on
standard i7 2600 Linux box with Intel 82599 NIC.

If you need any help or suggestions you can email me directly or ask via GitHub.

Thank you!

-- 
Sincerely yours, Pavel Odintsov


More information about the NANOG mailing list