PROJECT HISTORY

• 2013 Q2 project founded• 2013 Q3 mirror port support • 2014 Q2 sFlow support• 2014 Q3 Netflow 5, 9 support• 2015 Q1 IPFIX support • 2015 Q2 added to official FreeBSD ports• 2016 Q3 integration with A-10 Networks TPS• 2017 Q1 integration with Radware Defense Flow• 2017 Q3 added to Debian project• 2017 Q4 added to Ubuntu project• 2018 Q1 FastNetMon joined to WorksOnARM.com

KEY FEATURES

• Supports all types of volumetric attacks • Does not require changes in your network• Complete automation• Lightning fast detection• Software only solution• BGP integration (BGP unicast and BGP flow spec)• Support almost all possible traffic capture engines

SUPPORTED DISTRIBUTIONS

• Debian 8, 9, 10 • Ubuntu 16.04, 18.04• RHEL 6, 7• CentOS 6, 7• FreeBSD 9, 10, 11• Fedora• Gentoo• Cumulus Linux • VyOS• macOS

SUPPORTED ARCHITECTURES

• x86/32• amd64• ARM/ARM64• PowerPC• PowerPC 64• Sparc64• MIPS• Alpha

SUPPORTED VENDORS

LIGHTNING FAST ATTACK DETECTION

•2 seconds with mirror•4 seconds with sFlow•10-30 seconds with NetFlow/IPFIX

TRAFFIC CAPTURE BACKENDS

• sFlow v5 (switches)•Netflow v5, v9, v10 (IPFIX), jFlow, cFlow (routers)•SPAN/MIRROR (1GE, 10GE, 40GE)

SUPPORTED ATTACK TYPES

• NTP, DNS, SNMP, SSDP amplification• TCP SYN/ACK/SYN-ACK floods• UDP floods• Reflection attacks

UNLIMITED SCALABILITY

• sFlow v5 – 1.2 Tbps*•NetFlow – 2.2 Tbps*•Mirror/SPAN – 80 GE*

*all numbers for single physical server

ACTIONS TRIGGERED FOR DETECTED ATTACK

• BGP Blackhole• BGP flow spec, RFC 5575 (limited to only known reflection attack

patterns)• Slack notification• Script call

EXTREMELY FAST DELIVERY

• Works on any VM or physical server• Less then 15 minutes to install and configure FastNetMon on new

server!• Learn almost all configuration automatically!

DETECTION LOGIC

Detection type:• Threshold based (based on host’s smoothed traffic)

THRESHOLD TYPES:

• USING TOTAL TRAFFIC

• USING TOTAL PPS RATE

• PER PROTOCOL

• PER SUBNET

• PER HOST

BETWEEN THE CLOUD AND NETWORK EQUIPMENT

• You could use FastNetMon together with precise filtering hardware (A-10 Networks, Radware, Palo-Alto Networks)

• You could use FastNetMon with your favourite DDoS filtering cloud

• You could use FastNetMon to isolate attacked customer in special network using BGP or BGP or BGP Flow Spec redirect

ATTACK AND TRAFFIC VISUALIZATION

RICH ATTACK REPORTS

IP: 10.10.10.221Attack type: syn_floodInitial attack power: 546475 packets per secondPeak attack power: 546475 packets per secondAttack direction: incomingAttack protocol: tcpTotal incoming traffic: 245 mbpsTotal outgoing traffic: 0 mbpsTotal incoming pps: 99059 packets per secondTotal outgoing pps: 0 packets per secondTotal incoming flows: 98926 flows per secondTotal outgoing flows: 0 flows per secondAverage incoming traffic: 45 mbpsAverage outgoing traffic: 0 mbpsAverage incoming pps: 99059 packets per secondAverage outgoing pps: 0 packets per secondAverage incoming flows: 98926 flows per secondAverage outgoing flows: 0 flows per second

Incoming ip fragmented traffic: 250 mbpsOutgoing ip fragmented traffic: 0 mbpsIncoming ip fragmented pps: 546475 packets per secondOutgoing ip fragmented pps: 0 packets per secondIncoming tcp traffic: 250 mbpsOutgoing tcp traffic: 0 mbpsIncoming tcp pps: 546475 packets per secondOutgoing tcp pps: 0 packets per secondIncoming syn tcp traffic: 250 mbpsOutgoing syn tcp traffic: 0 mbpsIncoming syn tcp pps: 546475 packets per secondOutgoing syn tcp pps: 0 packets per secondIncoming udp traffic: 0 mbpsOutgoing udp traffic: 0 mbpsIncoming udp pps: 0 packets per secondOutgoing udp pps: 0 packets per secondIncoming icmp traffic: 0 mbpsOutgoing icmp traffic: 0 mbps

Callback scripts

#!/usr/bin/env bash

email_notify="noc@please-deploy-ipv6.co.uk"

if [ "$4" = "ban" ]; then cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify; # You can add ban code here! exit 0fi

if [ "$4" = "unban" ]; then # No details on stdin here # Unban actions if used exit 0fi

Whole configurationlogging:local_syslog_logging = offlogging:remote_syslog_logging = offlogging:remote_syslog_server = 10.10.10.10logging:remote_syslog_port = 514enable_ban = onprocess_incoming_traffic = onprocess_outgoing_traffic = onban_details_records_count = 500ban_time = 1900unban_only_if_attack_finished = onenable_subnet_counters = offnetworks_list_path = /etc/networks_listwhite_list_path = /etc/networks_whitelistcheck_period = 1enable_connection_tracking = offban_for_pps = onban_for_bandwidth = onban_for_flows = offthreshold_pps = 20000threshold_mbps = 1000threshold_flows = 3500threshold_tcp_mbps = 100000threshold_udp_mbps = 100000threshold_icmp_mbps = 100000threshold_tcp_pps = 100000threshold_udp_pps = 100000threshold_icmp_pps = 100000ban_for_tcp_bandwidth = offban_for_udp_bandwidth = offban_for_icmp_bandwidth = offban_for_tcp_pps = offban_for_udp_pps = off

ban_for_icmp_pps = offmirror = offpfring_sampling_ratio = 1mirror_netmap = offmirror_snabbswitch = offmirror_afpacket = offinterfaces_snabbswitch = macnetmap_sampling_ratio = 1netmap_read_packet_length_from_ip_header = offpcap = offnetflow = offsflow = offenable_pf_ring_zc_mode = offinterfaces = eth3,eth4average_calculation_time = 5average_calculation_time_for_subnets = 20netflow_port = 2055netflow_host = 0.0.0.0netflow_sampling_ratio = 1netflow_divide_counters_on_interval_length = offsflow_port = 6343sflow_host = 0.0.0.0sflow_qinq_process = offsflow_qinq_ethertype = 0x8100notify_script_path = /usr/local/bin/notify_about_attack.shnotify_script_pass_details = oncollect_attack_pcap_dumps = offprocess_pcap_attack_dumps_with_dpi = offredis_enabled = offredis_port = 6379redis_host = 127.0.0.1redis_prefix = mydc1

mongodb_enabled = offmongodb_host = localhostmongodb_port = 27017mongodb_database_name = fastnetmonpfring_hardware_filters_enabled = offexabgp = offexabgp_command_pipe = /var/run/exabgp.cmdexabgp_community = 65001:666exabgp_next_hop = 10.0.3.114exabgp_announce_host = onexabgp_announce_whole_subnet = offexabgp_flow_spec_announces = offgobgp = offgobgp_next_hop = 0.0.0.0gobgp_announce_host = ongobgp_announce_whole_subnet = offgraphite = offgraphite_host = 127.0.0.1graphite_port = 2003graphite_prefix = fastnetmonmonitor_local_ip_addresses = onmy_hosts_enable_ban = offmy_hosts_ban_for_pps = offmy_hosts_ban_for_bandwidth = offmy_hosts_ban_for_flows = offmy_hosts_threshold_pps = 20000my_hosts_threshold_mbps = 1000my_hosts_threshold_flows = 3500pid_path = /var/run/fastnetmon.pidcli_stats_file_path = /tmp/fastnetmon.datenable_api = offsort_parameter = packetsmax_ips_in_list = 7

Community

• GitHub: https://github.com/pavel-odintsov/fastnetmon• IRC: #fastnetmon at FreeNode• Telegram: https://t.me/fastnetmon • Slack: http://bit.ly/2o5Idx8 • LinkedIN: https://www.linkedin.com/company/fastnetmon/ • Facebook: https://www.facebook.com/fastnetmon/ • Mail list: https://groups.google.com/forum/#!forum/fastnetmon

Thank you!