View
3
Download
0
Category
Preview:
Citation preview
PROJECT HISTORY
• 2013 Q2 project founded• 2013 Q3 mirror port support • 2014 Q2 sFlow support• 2014 Q3 Netflow 5, 9 support• 2015 Q1 IPFIX support • 2015 Q2 added to official FreeBSD ports• 2016 Q3 integration with A-10 Networks TPS• 2017 Q1 integration with Radware Defense Flow• 2017 Q3 added to Debian project• 2017 Q4 added to Ubuntu project• 2018 Q1 FastNetMon joined to WorksOnARM.com
KEY FEATURES
• Supports all types of volumetric attacks • Does not require changes in your network• Complete automation• Lightning fast detection• Software only solution• BGP integration (BGP unicast and BGP flow spec)• Support almost all possible traffic capture engines
SUPPORTED DISTRIBUTIONS
• Debian 8, 9, 10 • Ubuntu 16.04, 18.04• RHEL 6, 7• CentOS 6, 7• FreeBSD 9, 10, 11• Fedora• Gentoo• Cumulus Linux • VyOS• macOS
SUPPORTED ARCHITECTURES
• x86/32• amd64• ARM/ARM64• PowerPC• PowerPC 64• Sparc64• MIPS• Alpha
SUPPORTED VENDORS
LIGHTNING FAST ATTACK DETECTION
•2 seconds with mirror•4 seconds with sFlow•10-30 seconds with NetFlow/IPFIX
TRAFFIC CAPTURE BACKENDS
• sFlow v5 (switches)•Netflow v5, v9, v10 (IPFIX), jFlow, cFlow (routers)•SPAN/MIRROR (1GE, 10GE, 40GE)
SUPPORTED ATTACK TYPES
• NTP, DNS, SNMP, SSDP amplification• TCP SYN/ACK/SYN-ACK floods• UDP floods• Reflection attacks
UNLIMITED SCALABILITY
• sFlow v5 – 1.2 Tbps*•NetFlow – 2.2 Tbps*•Mirror/SPAN – 80 GE*
*all numbers for single physical server
ACTIONS TRIGGERED FOR DETECTED ATTACK
• BGP Blackhole• BGP flow spec, RFC 5575 (limited to only known reflection attack
patterns)• Slack notification• Script call
EXTREMELY FAST DELIVERY
• Works on any VM or physical server• Less then 15 minutes to install and configure FastNetMon on new
server!• Learn almost all configuration automatically!
DETECTION LOGIC
Detection type:• Threshold based (based on host’s smoothed traffic)
THRESHOLD TYPES:
• USING TOTAL TRAFFIC
• USING TOTAL PPS RATE
• PER PROTOCOL
• PER SUBNET
• PER HOST
BETWEEN THE CLOUD AND NETWORK EQUIPMENT
• You could use FastNetMon together with precise filtering hardware (A-10 Networks, Radware, Palo-Alto Networks)
• You could use FastNetMon with your favourite DDoS filtering cloud
• You could use FastNetMon to isolate attacked customer in special network using BGP or BGP or BGP Flow Spec redirect
ATTACK AND TRAFFIC VISUALIZATION
RICH ATTACK REPORTS
IP: 10.10.10.221Attack type: syn_floodInitial attack power: 546475 packets per secondPeak attack power: 546475 packets per secondAttack direction: incomingAttack protocol: tcpTotal incoming traffic: 245 mbpsTotal outgoing traffic: 0 mbpsTotal incoming pps: 99059 packets per secondTotal outgoing pps: 0 packets per secondTotal incoming flows: 98926 flows per secondTotal outgoing flows: 0 flows per secondAverage incoming traffic: 45 mbpsAverage outgoing traffic: 0 mbpsAverage incoming pps: 99059 packets per secondAverage outgoing pps: 0 packets per secondAverage incoming flows: 98926 flows per secondAverage outgoing flows: 0 flows per second
Incoming ip fragmented traffic: 250 mbpsOutgoing ip fragmented traffic: 0 mbpsIncoming ip fragmented pps: 546475 packets per secondOutgoing ip fragmented pps: 0 packets per secondIncoming tcp traffic: 250 mbpsOutgoing tcp traffic: 0 mbpsIncoming tcp pps: 546475 packets per secondOutgoing tcp pps: 0 packets per secondIncoming syn tcp traffic: 250 mbpsOutgoing syn tcp traffic: 0 mbpsIncoming syn tcp pps: 546475 packets per secondOutgoing syn tcp pps: 0 packets per secondIncoming udp traffic: 0 mbpsOutgoing udp traffic: 0 mbpsIncoming udp pps: 0 packets per secondOutgoing udp pps: 0 packets per secondIncoming icmp traffic: 0 mbpsOutgoing icmp traffic: 0 mbps
Callback scripts
#!/usr/bin/env bash
email_notify="noc@please-deploy-ipv6.co.uk"
if [ "$4" = "ban" ]; then cat | mail -s "FastNetMon Guard: IP $1 blocked because $2 attack with power $3 pps" $email_notify; # You can add ban code here! exit 0fi
if [ "$4" = "unban" ]; then # No details on stdin here # Unban actions if used exit 0fi
Whole configurationlogging:local_syslog_logging = offlogging:remote_syslog_logging = offlogging:remote_syslog_server = 10.10.10.10logging:remote_syslog_port = 514enable_ban = onprocess_incoming_traffic = onprocess_outgoing_traffic = onban_details_records_count = 500ban_time = 1900unban_only_if_attack_finished = onenable_subnet_counters = offnetworks_list_path = /etc/networks_listwhite_list_path = /etc/networks_whitelistcheck_period = 1enable_connection_tracking = offban_for_pps = onban_for_bandwidth = onban_for_flows = offthreshold_pps = 20000threshold_mbps = 1000threshold_flows = 3500threshold_tcp_mbps = 100000threshold_udp_mbps = 100000threshold_icmp_mbps = 100000threshold_tcp_pps = 100000threshold_udp_pps = 100000threshold_icmp_pps = 100000ban_for_tcp_bandwidth = offban_for_udp_bandwidth = offban_for_icmp_bandwidth = offban_for_tcp_pps = offban_for_udp_pps = off
ban_for_icmp_pps = offmirror = offpfring_sampling_ratio = 1mirror_netmap = offmirror_snabbswitch = offmirror_afpacket = offinterfaces_snabbswitch = macnetmap_sampling_ratio = 1netmap_read_packet_length_from_ip_header = offpcap = offnetflow = offsflow = offenable_pf_ring_zc_mode = offinterfaces = eth3,eth4average_calculation_time = 5average_calculation_time_for_subnets = 20netflow_port = 2055netflow_host = 0.0.0.0netflow_sampling_ratio = 1netflow_divide_counters_on_interval_length = offsflow_port = 6343sflow_host = 0.0.0.0sflow_qinq_process = offsflow_qinq_ethertype = 0x8100notify_script_path = /usr/local/bin/notify_about_attack.shnotify_script_pass_details = oncollect_attack_pcap_dumps = offprocess_pcap_attack_dumps_with_dpi = offredis_enabled = offredis_port = 6379redis_host = 127.0.0.1redis_prefix = mydc1
mongodb_enabled = offmongodb_host = localhostmongodb_port = 27017mongodb_database_name = fastnetmonpfring_hardware_filters_enabled = offexabgp = offexabgp_command_pipe = /var/run/exabgp.cmdexabgp_community = 65001:666exabgp_next_hop = 10.0.3.114exabgp_announce_host = onexabgp_announce_whole_subnet = offexabgp_flow_spec_announces = offgobgp = offgobgp_next_hop = 0.0.0.0gobgp_announce_host = ongobgp_announce_whole_subnet = offgraphite = offgraphite_host = 127.0.0.1graphite_port = 2003graphite_prefix = fastnetmonmonitor_local_ip_addresses = onmy_hosts_enable_ban = offmy_hosts_ban_for_pps = offmy_hosts_ban_for_bandwidth = offmy_hosts_ban_for_flows = offmy_hosts_threshold_pps = 20000my_hosts_threshold_mbps = 1000my_hosts_threshold_flows = 3500pid_path = /var/run/fastnetmon.pidcli_stats_file_path = /tmp/fastnetmon.datenable_api = offsort_parameter = packetsmax_ips_in_list = 7
Community
• GitHub: https://github.com/pavel-odintsov/fastnetmon• IRC: #fastnetmon at FreeNode• Telegram: https://t.me/fastnetmon • Slack: http://bit.ly/2o5Idx8 • LinkedIN: https://www.linkedin.com/company/fastnetmon/ • Facebook: https://www.facebook.com/fastnetmon/ • Mail list: https://groups.google.com/forum/#!forum/fastnetmon
Thank you!
Recommended