DDOS, IDS, RTBH, and Rate limiting

Data Zone datazone at gmail.com
Fri Nov 21 01:07:01 UTC 2014


What happens when someone spoofs legitimate hosts that your customers use?

On Thu, Nov 20, 2014 at 3:36 PM, Pavel Odintsov <pavel.odintsov at gmail.com>
wrote:

> Hello, folks!
>
> I'm author of fastnetmon, thank you for some PR for my toolkit :)
>
> I use this tool for similar type of attacks and we do analyze all
> traffic from uplinks ports using port mirroring. You can look at this
> network diagram:
>
> https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master/network_map.png
>
> I tried to use netflow many years ago but it's not accurate enough and
> not so fast enough and produce big overhead on middle class network
> routers. It's because I wrote this tool and do every packet analyze.
> It can detect attack in 2 seconds max and call BGP blackhole as quick
> as thought.
>
> It can detect three types of attacks:
> 1) Speed attack for certain IP (we ban every IP which exceed 1 Gbps)
> 2) Packet per second attack for certain IP (we ban every IP which
> exceed 100 000 ppps)
> 3) And flow flood (very useful mode in networks with big bandwidth/pps
> per client)
>
> FastNetMon can handle 2-3 million of packets per second and ~20Gbps on
> standard i7 2600 Linux box with Intel 82599 NIC.
>
> If you need any help or suggestions you can email me directly or ask via
> GitHub.
>
> Thank you!
>
> --
> Sincerely yours, Pavel Odintsov
>


More information about the NANOG mailing list