Special thanks to Pavel Odintsov for providing much of the content for this blog.
CloudRouter distributes FastNetMon, a high performance DoS/DDoS load analyzer built on top of multiple packet capture engines, including NetFlow, IPFIX, sFLOW, netmap, PF_RING, and PCAP. FastNetMon is distributed under the GPLv2 license. The project is led by Pavel Odintsov, CTO at FastVPS in beautiful Saint Petersburg, Russia.
FastNetMon detects hosts in a network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. It can call an external script to notify people or automate an action such as switching off a server or moving the client to a blackhole.
Pavel developer FastNetMon after searching for an open source solution to use at his company FastVPS. Since a suitable project didn’t already exist, Pavel started his own.
A typical deployment of FastNetMon is shown in the network map below.
- Process incoming and outgoing traffic
- Trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
- Announce blocked IPs to BGP router with ExaBGP
- Integration with Graphite
- netmap support (open souce; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
- Support for L2TP decapsulation, VLAN untagging, and MPLS processing in mirror mode
- Detection of DoS/DDoS in 1-2 seconds
- Tested at 10GigE with 12Mpps on Intel i7 3820 with Intel NIC 82599
- Complete plugin support
- Have complete support for most popular attack types
A view of the traffic dashboard for FastNetMon is shown below.
The next screen shows a mitigated attack in real-time.
The main program screen is shown below.
A flow refers to one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port, and protocol.
Example CPU load on Intel i72600 with Intel X540/82599 NIC on 400kpps load:
At CloudRouter, we put a lot of focus on security. We harden key open source components such as the BIRD route server and use a dedicated Nitrokey signing server with a hardware security module (HSM). Ultimately, the strength of the CloudRouter distribution comes from great open source projects like FastNetMon. Thanks Pavel for all your work.