Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FastNetMon Advanced DDoS detection tool

Slides about DDoS detection tool. IPFIX, sFlow, Netflow support. Instant detection. Complete API and command line tools.

Free trial: https://fastnetmon.com/trial/

  • Login to see the comments

FastNetMon Advanced DDoS detection tool

  1. 1. https://FastNetMon.com
  2. 2. PROJECT HISTORY • 2013 Q2 project founded • 2013 Q3 mirror port support • 2014 Q2 sFlow support • 2014 Q3 Netflow 5, 9 support • 2015 Q1 IPFIX support • 2015 Q2 added to official FreeBSD ports • 2016 Q3 integration with A-10 Networks TPS • 2017 Q1 integration with Radware Defense Flow • 2018 Q1 FastNetMon joined to WorksOnARM.com
  3. 3. KEY FEATURES • Supports all types of volumetric attacks • Does not require changes in your network • Complete automation • Lightning fast detection • Software only solution • BGP integration (BGP unicast and BGP flow spec) • Support almost all possible traffic capture engines
  4. 4. KEY FEATURES FOR BUSINESS • Reduce cost for additional capacity • Reduce overall service downtime • Decrease number of incoming abuses • Additional service for customers to increase ARPU • Reduce cost for precise DDoS filtering hardware • Reduce cost for DDoS filtering clouds
  5. 5. SUPPORTED VENDORS
  6. 6. LIGHTNING FAST ATTACK DETECTION • 2 seconds with mirror • 2-3 seconds with sFlow • 10-30 seconds with NetFlow/IPFIX
  7. 7. TRAFFIC CAPTURE BACKENDS • sFlow v5 (switches) • Netflow v5, v9 (including sampled version), v10 (IPFIX), jFlow, cFlow (routers) • SPAN/MIRROR (1GE, 10GE, 40GE) • Tera Flow (distributed monitoring protocol)
  8. 8. SUPPORTED ATTACK TYPES • NTP, DNS, SNMP, SSDP amplification • TCP SYN/ACK/SYN-ACK floods • UDP floods • Multi vector attacks • Reflection attacks
  9. 9. UNLIMITED SCALABILITY • sFlow v5 – 1.2 Tbps* • NetFlow – 2.2 Tbps* • Mirror/SPAN – 80 GE* • Distributed with Tera Flow - unlimited *all numbers for single physical server
  10. 10. ACTIONS TRIGGERED FOR DETECTED ATTACK • E-mail notification • BGP Blackhole • BGP flow spec, RFC 5575 • Slack notification • API call • Web request • Script call
  11. 11. EXTREMELY FAST DELIVERY • Works on any VM or physical server • Less then 15 minutes to install and configure FastNetMon on new server! • Network Engineer friendly CLI interface • Learn almost all configuration automatically!
  12. 12. DETECTION LOGIC Two levels: • Threshold based (based on host’s smoothed traffic) • Hyper packet engine for deep flow / packet inspection using statistics approach • • • • •
  13. 13. BETWEEN THE CLOUD AND NETWORK EQUIPMENT • You could use FastNetMon together with precise filtering hardware (A-10 Networks, Radware, Palo-Alto Networks) • You could use FastNetMon with your favourite DDoS filtering cloud • You could use FastNetMon to isolate attacked customer in special network using BGP or BGP or BGP Flow Spec redirect
  14. 14. FRIENDLY COMMAND LINE INTERFACE
  15. 15. ATTACK AND TRAFFIC VISUALIZATION
  16. 16. ATTACK NOTIFICATIONS
  17. 17. RICH ATTACK REPORTS IP: 10.10.10.221Attack type: syn_flood Initial attack power: 546475 packets per second Peak attack power: 546475 packets per second Attack direction: incoming Attack protocol: tcp Total incoming traffic: 245 mbps Total outgoing traffic: 0 mbps Total incoming pps: 99059 packets per second Total outgoing pps: 0 packets per second Total incoming flows: 98926 flows per second Total outgoing flows: 0 flows per second Average incoming traffic: 45 mbps Average outgoing traffic: 0 mbps Average incoming pps: 99059 packets per second Average outgoing pps: 0 packets per second Average incoming flows: 98926 flows per second Average outgoing flows: 0 flows per second Incoming ip fragmented traffic: 250 mbps Outgoing ip fragmented traffic: 0 mbps Incoming ip fragmented pps: 546475 packets per second Outgoing ip fragmented pps: 0 packets per second Incoming tcp traffic: 250 mbps Outgoing tcp traffic: 0 mbps Incoming tcp pps: 546475 packets per second Outgoing tcp pps: 0 packets per second Incoming syn tcp traffic: 250 mbps Outgoing syn tcp traffic: 0 mbps Incoming syn tcp pps: 546475 packets per second Outgoing syn tcp pps: 0 packets per second Incoming udp traffic: 0 mbps Outgoing udp traffic: 0 mbps Incoming udp pps: 0 packets per second Outgoing udp pps: 0 packets per second Incoming icmp traffic: 0 mbps Outgoing icmp traffic: 0 mbps
  18. 18. DISTRIBUTED SETUP WITH TERA FLOW
  19. 19. DEVELOPER FRIENDLY • API for FastNetMon operations (using fcli) • MongoDB for configuration • JSON everywhere • API for traffic persistency • API for metrics
  20. 20. TRAFFIC PERSISTENCY
  21. 21. ASN REPORTS
  22. 22. Thank you! sales@fastnetmon.com

×