FastNetMon – A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).
What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.
Supported packet capture engines:
- NetFlow v5, v9
- Port mirror/SPAN capture with PF_RING (with ZC/DNA mode support need license), NETMAP and PCAP
You could look comparison table for all available packet capture engines.
- Can process incoming and outgoing traffic
- Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
- Could announce blocked IPs to BGP router with ExaBGP
- Have integration with Graphite
- netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
- Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
- Can work on server/soft-router
- Can detect DoS/DDoS in 1-2 seconds
- Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
- Complete plugin support
- Have complete support for most popular attack types
- Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
- FreeBSD 9, 10, 11
- Mac OS X Yosemite
What is “flow” in FastNetMon terms? It’s one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.
Main program screen image:
Example of notification email about detected attack.
To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.