fastnetmon
DDoS detector with multiple packet capture engines
WWW CVSWeb GITHub-
Package versionfastnetmon-1.1.7p2
-
MaintainerThe OpenBSD ports mailing-list
FastNetMon is a very high performance DDoS detector built on top of
multiple packet capture engines: NetFlow, IPFIX, sFLOW.
It could detect malicious traffic in your network and immediately block
it with BGP blackhole or BGP flow spec rules.
It has solid support for all top network vendors and has unlimited
scalability due to flexible design.
+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
NetFlow input from pf
---------------------
By default FastNetMon listens on port 2055 for incoming NetFlow data. This can
be obtained from pflow(4). Minimal pf.conf addition to export all states through
pflow(4):
set state-defaults pflow
And create a pflow0 with:
# ifconfig pflow0 flowsrc 127.0.0.1 flowdst 127.0.0.1:2055
The default protocol version (5) works fine with FastNetMon.
Configuration
-------------
At the very minimum the known networks need to be recorded in
${SYSCONFDIR}/fastnetmon/networks_list in CIDR notation, otherwise all traffic
is classified as "other traffic".
Also a notification script needs to be configured and installed to actually
perform a ban. A stub is provided in
${PREFIX}/share/examples/fastnetmon/notify_about_attack.sh
- devel/cmake
- devel/ninja