Results 1 to 25 of 75
-
06-16-2014, 11:34 AM #1Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
Open source solution for detecting DoS/DDoS attacks
Hello!
I want to offer our hand made and home growth but completely open source (and free) solutions for detecting incoming/outgoing DDoS and DoS attacks on OpenVZ hosts or on whole network (it can be run in mirror ports of router or switch). It can detect incoming or outgoing DoS/DDoS attacks and lock container (or send notification to system administrators) after your server can impact any host in the Internet (and got abuse surely).
You can find it there: https://github.com/FastVPSEestiOu/fastnetmon
Don't hesitate to ask any questions!
-
06-21-2014, 10:31 AM #2Junior Guru Wannabe
- Join Date
- May 2008
- Location
- Russia, Nizhniy Novgorod
- Posts
- 35
Can it be used inside OpenVZ containers for incoming attack detection?
-
06-21-2014, 11:22 AM #3WHT Addict
- Join Date
- Jun 2012
- Posts
- 130
Nice giveaway
This is pretty cool, for those who cannot spend thosand of dollars on ddos detection and mitigation automatic blackholing is the right solution.
Robert - Lead Systems Engineer
Unmetered 1Gbps Virtual Servers with DDoS protection
www.javapipe.com
-
06-21-2014, 11:25 AM #4Newbie
- Join Date
- Jun 2014
- Posts
- 10
Thank for sharing Pavel_Odintsov. I may give it a try and I will give an honest feedback
-
06-21-2014, 11:51 AM #5Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
-
06-21-2014, 11:56 AM #6Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
Thank you for feedback! We use it for blackholing clients in case of heavy DDoS attacks when we can't filter traffic with our equipment But for system without DDoS mitigation tools it's really useful too.
I think about new version with ability to detect flood sources (we can this only for tcp but it's no really matter in most cases) and fast block traffic from it.
-
06-21-2014, 12:00 PM #7Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
Thank you for positive feedback I released new version now https://github.com/FastVPSEestiOu/fa...ses/tag/v1.0.0, please upgrade if you already download my tool. This version will work with almost all interface types.
-
06-21-2014, 12:18 PM #8Newbie
- Join Date
- Jun 2014
- Posts
- 10
-
06-21-2014, 01:02 PM #9Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
-
06-22-2014, 08:43 AM #10Aspiring Evangelist
- Join Date
- Apr 2008
- Location
- Tulsa, OK, USA
- Posts
- 376
This tool is an interesting start, however using timeslice sampling instead of handling information decay properly will yield less accurate traffic accounting, allowing smaller floods through.
In ddosmon (http://bitbucket.org/tortoiselabs/ddosmon), we track network flows for a limited time period but keep overall counters moving with a fairly accurate backoff by calculating a delta between the last and current timeslices by not 'charging' the 'pending traffic' to the target IP.
A suggestion for future work would be to work with PF_RING's DNA API to utilize the n-tuple filters on the Intel 82599 cards to filter out anomalous source traffic for a time period. Once you do that, you have a fully open-source adaptive DDoS filter.
-
06-22-2014, 05:14 PM #11Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
kaniini, thank you for additions to FastNetMon
I have an idea about migrating to Boost Accumulators instead timeslice sampling because it's so bad.
I'm not sure about it helpfulness because ntuple is limited to 32k rules and can filter packets using only 5 params: protocol, source port, destination port, source IP, destination IP. And for UDP spoofied/SYN flood attacks 32k is very small amount of hosts.
I have an idea about ability to investigate detected flood and provide some "compiled" details to external scripts. In other word I can provide something like this: attack detected from multiple hosts with UDP protocol and destination address to some_host with packets with size 59 bytes with source port 77. With this data external software can drop this traffic on border or target machine.
-
06-23-2014, 09:52 AM #12Aspiring Evangelist
- Join Date
- Apr 2008
- Location
- Tulsa, OK, USA
- Posts
- 376
Sure, but you could do correlations (if there's no legitimate traffic going to port 1337, you can block all traffic to that IP + port 1337 with 1 rule). WANGuard already does this they claim, but I am not so sure about the quality of their software
I have an idea about ability to investigate detected flood and provide some "compiled" details to external scripts. In other word I can provide something like this: attack detected from multiple hosts with UDP protocol and destination address to some_host with packets with size 59 bytes with source port 77. With this data external software can drop this traffic on border or target machine.
-
06-23-2014, 04:30 PM #13Newbie
- Join Date
- Feb 2013
- Posts
- 15
This is an awesome release thanks for it, definitely going to set it up and respond with some feedback.
-
06-23-2014, 05:01 PM #14Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
-
06-30-2014, 11:22 AM #15Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
Hot news! Completely new release with big amount of features!
- We recalculate data for _all_ local ip's every second. You lock DoS/DDoS with speed of light!
- In attack details added nanosecond timestamps
- We dropped off C++ 11 support because it's buggy. Now you can compile tool on any modern platform!
- Optimize calls of banner script. In old version it can result to script hangs
- Migrate to boost::threads as more reliable threads for C++
- Introduce new patricia based ip lookup code
- Migrate to ncruses and do not produce loooong output in console
You can compile custom version or download binary distro from GitHub.
-
10-16-2014, 08:45 AM #16Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
I just added hardware filtration rule on Intel 82599 NIC to FastNetMon: https://github.com/FastVPSEestiOu/fa...e4d7a054498f48
All incoming/outgoing traffic locked with this 5-tuple hardware rules.
But I need testers!
-
10-18-2014, 03:45 PM #17Web Hosting Master
- Join Date
- Mar 2013
- Posts
- 1,328
Nice!
I don't operate at that level but I applaud your generosity.
-
10-19-2014, 03:24 PM #18Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
-
10-19-2014, 03:48 PM #19WHT Addict
- Join Date
- Sep 2007
- Location
- New York, NY
- Posts
- 111
I haven't taken a look at the source code yet, but it is really great to see open source projects like this.
█ cPanelDesigns - High Quality & Mobile Ready cPanel Themes
-
11-14-2014, 08:48 PM #20Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
Awesome news! We can track flows now! Every ddos attack notify email we got with all flows from/to certain host!
We can ban hosts for bandwidth limit, packet per second limit and even flow per second limit! We can minimize false positive detections with flow tracker to zero.
In new releases we can try to introduce ability to ban certain flows (like flood from external host) without compete host locking.
You can find more details here: https://github.com/FastVPSEestiOu/fastnetmon
-
12-03-2014, 12:01 PM #21Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
Hello!
I added sFLOW support and NetFlow support in the way! Now you can run tool on slow VPS and process 100GE ports data with sampled sFLOW.
-
12-05-2014, 12:22 AM #22Web Hosting Master
- Join Date
- Jul 2007
- Location
- Virginia
- Posts
- 1,314
Looking good!
~ @PreetamJinka
-
12-05-2014, 03:05 AM #23Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
-
12-20-2014, 05:39 PM #24Junior Guru Wannabe
- Join Date
- Jun 2014
- Posts
- 66
We added PF_RING DNA/ZC native API and if you have license you can process up to 6 million of packets per second on old Intel E5 2440 with Intel 82599 10GE NIC. If you have more powerful cpus you can process up to 14.4 mpps
You can download code and install it with one click from GitHub: https://github.com/FastVPSEestiOu/fastnetmonLast edited by Pavel_Odintsov; 12-20-2014 at 05:46 PM.
-
01-24-2015, 02:59 PM #25Newbie
- Join Date
- Jul 2013
- Posts
- 7
Hi Pavel,
Regarding:
Can trigger block script if certain IP load network with big amount of packets per second
Can trigger block script if certain IP load network with big amount of bytes per second
Can trigger block script if certain IP load network with big amount of flows per second
Where is this script located?
Similar Threads
-
Few questions regarding DoS/DDoS Attacks
By XZSupport in forum VPS HostingReplies: 13Last Post: 06-20-2013, 07:49 AM -
DoS and DDoS attacks on server And bat boot and crawler attacks
By ahmadtrco in forum Dedicated ServerReplies: 2Last Post: 11-03-2012, 05:29 PM -
DDoS and DoS attacks
By rcpersons1 in forum Reseller HostingReplies: 17Last Post: 08-03-2007, 12:28 AM