Page 1 of 3 123 LastLast
Results 1 to 25 of 75
  1. #1

    Open source solution for detecting DoS/DDoS attacks

    Hello!

    I want to offer our hand made and home growth but completely open source (and free) solutions for detecting incoming/outgoing DDoS and DoS attacks on OpenVZ hosts or on whole network (it can be run in mirror ports of router or switch). It can detect incoming or outgoing DoS/DDoS attacks and lock container (or send notification to system administrators) after your server can impact any host in the Internet (and got abuse surely).

    You can find it there: https://github.com/FastVPSEestiOu/fastnetmon

    Don't hesitate to ask any questions!

  2. #2
    Join Date
    May 2008
    Location
    Russia, Nizhniy Novgorod
    Posts
    35
    Can it be used inside OpenVZ containers for incoming attack detection?

  3. #3

    Thumbs up Nice giveaway

    This is pretty cool, for those who cannot spend thosand of dollars on ddos detection and mitigation automatic blackholing is the right solution.

  4. #4
    Thank for sharing Pavel_Odintsov. I may give it a try and I will give an honest feedback

  5. #5
    Quote Originally Posted by ArtemZ View Post
    Can it be used inside OpenVZ containers for incoming attack detection?
    Unfortunately you can't use high performance version of FastNetMon because PF_RING works over kernel module (but on KVM VE you can).

    But you can use pcap version which works almost everywhere. But please keep in mind it's very resource aggressive.

  6. #6
    Quote Originally Posted by RobertJP View Post
    This is pretty cool, for those who cannot spend thosand of dollars on ddos detection and mitigation automatic blackholing is the right solution.
    Thank you for feedback! We use it for blackholing clients in case of heavy DDoS attacks when we can't filter traffic with our equipment But for system without DDoS mitigation tools it's really useful too.

    I think about new version with ability to detect flood sources (we can this only for tcp but it's no really matter in most cases) and fast block traffic from it.

  7. #7
    Quote Originally Posted by hostvizor View Post
    Thank for sharing Pavel_Odintsov. I may give it a try and I will give an honest feedback
    Thank you for positive feedback I released new version now https://github.com/FastVPSEestiOu/fa...ses/tag/v1.0.0, please upgrade if you already download my tool. This version will work with almost all interface types.

  8. #8
    Quote Originally Posted by Pavel_Odintsov View Post
    Thank you for positive feedback I released new version now https://github.com/FastVPSEestiOu/fa...ses/tag/v1.0.0, please upgrade if you already download my tool. This version will work with almost all interface types.
    Thanks. Can you send me a pm with your contact details(email) as well ?

  9. #9
    Quote Originally Posted by hostvizor View Post
    Thanks. Can you send me a pm with your contact details(email) as well ?
    You can write me: pavel.odintsov [at] gmail [dot] com

  10. #10
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    376
    This tool is an interesting start, however using timeslice sampling instead of handling information decay properly will yield less accurate traffic accounting, allowing smaller floods through.

    In ddosmon (http://bitbucket.org/tortoiselabs/ddosmon), we track network flows for a limited time period but keep overall counters moving with a fairly accurate backoff by calculating a delta between the last and current timeslices by not 'charging' the 'pending traffic' to the target IP.

    A suggestion for future work would be to work with PF_RING's DNA API to utilize the n-tuple filters on the Intel 82599 cards to filter out anomalous source traffic for a time period. Once you do that, you have a fully open-source adaptive DDoS filter.

  11. #11
    kaniini, thank you for additions to FastNetMon

    I have an idea about migrating to Boost Accumulators instead timeslice sampling because it's so bad.

    I'm not sure about it helpfulness because ntuple is limited to 32k rules and can filter packets using only 5 params: protocol, source port, destination port, source IP, destination IP. And for UDP spoofied/SYN flood attacks 32k is very small amount of hosts.

    I have an idea about ability to investigate detected flood and provide some "compiled" details to external scripts. In other word I can provide something like this: attack detected from multiple hosts with UDP protocol and destination address to some_host with packets with size 59 bytes with source port 77. With this data external software can drop this traffic on border or target machine.

  12. #12
    Join Date
    Apr 2008
    Location
    Tulsa, OK, USA
    Posts
    376
    Quote Originally Posted by Pavel_Odintsov View Post
    I'm not sure about it helpfulness because ntuple is limited to 32k rules and can filter packets using only 5 params: protocol, source port, destination port, source IP, destination IP. And for UDP spoofied/SYN flood attacks 32k is very small amount of hosts.
    Sure, but you could do correlations (if there's no legitimate traffic going to port 1337, you can block all traffic to that IP + port 1337 with 1 rule). WANGuard already does this they claim, but I am not so sure about the quality of their software

    I have an idea about ability to investigate detected flood and provide some "compiled" details to external scripts. In other word I can provide something like this: attack detected from multiple hosts with UDP protocol and destination address to some_host with packets with size 59 bytes with source port 77. With this data external software can drop this traffic on border or target machine.
    Right. You could also implement BGP FlowSpec support and have a BGP session with the software. This would work on Juniper routers for filtering (although there are technical limitations).

  13. #13
    This is an awesome release thanks for it, definitely going to set it up and respond with some feedback.

  14. #14
    Quote Originally Posted by Howelley View Post
    This is an awesome release thanks for it, definitely going to set it up and respond with some feedback.
    Do not hesitate to write to me if you have any troubles Any feedback will be welcome!

  15. #15
    Hot news! Completely new release with big amount of features!

    • We recalculate data for _all_ local ip's every second. You lock DoS/DDoS with speed of light!
    • In attack details added nanosecond timestamps
    • We dropped off C++ 11 support because it's buggy. Now you can compile tool on any modern platform!
    • Optimize calls of banner script. In old version it can result to script hangs
    • Migrate to boost::threads as more reliable threads for C++
    • Introduce new patricia based ip lookup code
    • Migrate to ncruses and do not produce loooong output in console


    You can compile custom version or download binary distro from GitHub.

  16. #16
    Quote Originally Posted by kaniini View Post
    This tool is an interesting start, however using timeslice sampling instead of handling information decay properly will yield less accurate traffic accounting, allowing smaller floods through.

    In ddosmon (http://bitbucket.org/tortoiselabs/ddosmon), we track network flows for a limited time period but keep overall counters moving with a fairly accurate backoff by calculating a delta between the last and current timeslices by not 'charging' the 'pending traffic' to the target IP.

    A suggestion for future work would be to work with PF_RING's DNA API to utilize the n-tuple filters on the Intel 82599 cards to filter out anomalous source traffic for a time period. Once you do that, you have a fully open-source adaptive DDoS filter.
    I just added hardware filtration rule on Intel 82599 NIC to FastNetMon: https://github.com/FastVPSEestiOu/fa...e4d7a054498f48

    All incoming/outgoing traffic locked with this 5-tuple hardware rules.

    But I need testers!

  17. #17
    Join Date
    Mar 2013
    Posts
    1,328
    Nice!
    I don't operate at that level but I applaud your generosity.

  18. #18
    Quote Originally Posted by gingir View Post
    Nice!
    I don't operate at that level but I applaud your generosity.
    Thank you!

  19. #19
    Join Date
    Sep 2007
    Location
    New York, NY
    Posts
    111
    I haven't taken a look at the source code yet, but it is really great to see open source projects like this.
    cPanelDesigns - High Quality & Mobile Ready cPanel Themes

  20. #20
    Awesome news! We can track flows now! Every ddos attack notify email we got with all flows from/to certain host!

    We can ban hosts for bandwidth limit, packet per second limit and even flow per second limit! We can minimize false positive detections with flow tracker to zero.

    In new releases we can try to introduce ability to ban certain flows (like flood from external host) without compete host locking.

    You can find more details here: https://github.com/FastVPSEestiOu/fastnetmon
    Attached Thumbnails Attached Thumbnails fastnetmon_with_flow_tracking.png   Network_map.png  

  21. #21
    Hello!

    I added sFLOW support and NetFlow support in the way! Now you can run tool on slow VPS and process 100GE ports data with sampled sFLOW.

  22. #22
    Join Date
    Jul 2007
    Location
    Virginia
    Posts
    1,314
    Looking good!
    ~ @PreetamJinka

  23. #23
    Quote Originally Posted by Preetam View Post
    Looking good!
    Thank you!

  24. #24
    We added PF_RING DNA/ZC native API and if you have license you can process up to 6 million of packets per second on old Intel E5 2440 with Intel 82599 10GE NIC. If you have more powerful cpus you can process up to 14.4 mpps

    You can download code and install it with one click from GitHub: https://github.com/FastVPSEestiOu/fastnetmon
    Last edited by Pavel_Odintsov; 12-20-2014 at 05:46 PM.

  25. #25
    Hi Pavel,

    Regarding:

    Can trigger block script if certain IP load network with big amount of packets per second
    Can trigger block script if certain IP load network with big amount of bytes per second
    Can trigger block script if certain IP load network with big amount of flows per second

    Where is this script located?

Page 1 of 3 123 LastLast

Similar Threads

  1. Few questions regarding DoS/DDoS Attacks
    By XZSupport in forum VPS Hosting
    Replies: 13
    Last Post: 06-20-2013, 07:49 AM
  2. Replies: 2
    Last Post: 11-03-2012, 05:29 PM
  3. DDoS and DoS attacks
    By rcpersons1 in forum Reseller Hosting
    Replies: 17
    Last Post: 08-03-2007, 12:28 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •