How to detect & mitigate (D)DoS Attacks using FastNetMon




Recently i was researching a lot on the various denial of service attacks and how to mitigate them from Layer 1 to 7 and as always the most convinient way to stop any attacks is keeping the bad requests/traffic away from your services starting from the first layers of the ISO/OSI model.

Realistically the only ways to prevent DDoS attacks are:

a) Layer 3-4 mitigation with BGP/Cloud Scrubbing (Sending all your network traffic using BGP or ‘sophisticated’ VPNs to third-party POP’s to delegate attack mitigation).

Before do you even think of option d) watch this:



Cool, but how i detect attacks? Well if you have $$ and you only believe enterprise stuff

–> grab that 500+ grand network box and put it in front of your DC… whereas if you are an opensource guy you can go for FastNetMon (By Pavel Odintsov) and setup your own Anti-DDoS detection/mitigation solution.


What is FastNetMon?

FastNetMon is DDoS analyzer that will let you to detect nearly realtime attacks or suspicious traffic (Example: VPS X is compromised and starts doing SYN Flood vs outbound nets –> detected and alerted by FNM), FNM isn’t just a
detection tool but also helps to mitigate attacks, after the ban rule is triggered a bash script is being executed (there are also a lot of ‘extra’ stuff to do.. Slack webhooks..Keep a track of Influx metircs..Email Alerts…Send an emergency call/SMS..BGP Announce…Shutoff the VPS)


Scenario 1:
VPS provider on Hypervisor X protects customers with FNM and when an attacks is detected on NetFlow/sFlow/IPFIX traffic the bash script automatically adds a blackhole rule on edge network device/hypervisor host to avoid degrading network performance for other customers

Scenario 2:
Carrier needs to monitor traffic flows on their network boxes, Set ups FNM and gather all flows to monitor subnets to re-route traffic (GoBGP & ExaBGP are supported by FNM) when links are saturated

..


And so on

The FNM setup is quite easy to get up and running, the tricky part is setting up Grafana,Influxdb metrics but that’s not a problem if you are interested only in detection/mitigation.
If you are into dashboarding you could also set up an ELK (this is the icing on the cake) to gather NetFlow data and create great visualization with Kibana (Total PPS in, Top “Talkers” on outgoing/incoming traffic, Traffic Categories, Sort by TCP/UDP..).

The only requirements are:

Links and Resources:

For any question & discussion don’t esitate contact me