Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

4

Share

Download to read offline

FastNetMon - ENOG9 speech about DDoS mitigation

Download to read offline

Speech at NANOG9 about FastNetMon - open source DDoS detection solution: https://github.com/FastVPSEestiOu/fastnetmon

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

FastNetMon - ENOG9 speech about DDoS mitigation

  1. 1. http://bit.ly/fastnetmon FastNetMon Open source DDoS mitigation toolkit Pavel Odintsov odintsov@fastvps.ee 1
  2. 2. http://bit.ly/fastnetmon 0 10 20 30 40 2014-12 2015-01 2015-02 2015-03 2015-04 2015-05 2015-06 Number of DDoS attacks per month 2
  3. 3. http://bit.ly/fastnetmon DDoS attack directions Outgoing 31 % Incoming 69 % 3
  4. 4. http://bit.ly/fastnetmon Incoming DDoS attacks protocols udp 71 % tcp 29 % 4
  5. 5. http://bit.ly/fastnetmon Outgoing DDoS attacks protocols udp 41 % tcp 59 % 5
  6. 6. http://bit.ly/fastnetmon Is it dangerous? 6
  7. 7. http://bit.ly/fastnetmon Any solutions? FastNetMon http://bit.ly/fastnetmon 7
  8. 8. http://bit.ly/fastnetmon What we could do? • Save NOC’s sleep :) • Detect any DoS/DDoS attack for channel overflow or equipment overload • Partially or completely block traffic from/to own host (target of attack) • Save your network (routers, switches, servers) • Save your SLA 8
  9. 9. http://bit.ly/fastnetmon FastNetMon supported packet capture engines • sFlow v5 (sampled traffic collection from switches) • NetFlow v5, v9, v10 (sampled traffic data from routers) • IPFIX (sampled traffic data from routers) • Span/mirror (routers/switches deep inspection mode) 9
  10. 10. http://bit.ly/fastnetmon How we could block attack? • BGP announce (community 666, blackhole, selective blackhole) • BGP flow spec/RFC 5575 (selective traffic blocking) • ACL on switch • Custom script 10
  11. 11. http://bit.ly/fastnetmon Supported platforms • Hyper-V, ESXi, KVM - we offer appliance based on VyOS • CentOS/RHEL/Fedora Linux • Debian/Ubuntu Linux • FreeBSD 11
  12. 12. http://bit.ly/fastnetmon Hardware requirements • 1 GE NIC (10GE recommended for mirror/span modem, Intel NIC’s only) • Intel Xeon CPU (E5 v3 recommended for high speed capture from mirror) • 10GB hard disk drive 12
  13. 13. http://bit.ly/fastnetmon Performance • sFLOW - 40-100GE • NetFLOW - 40-100GE • Span/mirror - 10-40GE per node (tested up to 10 MPPS) 13
  14. 14. http://bit.ly/fastnetmon Supported vendors • Cisco • Juniper • Extreme • Huawei • Linux (ipt_NETFLOW) 14
  15. 15. http://bit.ly/fastnetmon Attack detection logic • By number of packets per second to/from /32 • By number of mbps per second from/to /32 • By number of flows per second from/to /32 • By number of fragmented packets from/to /32 • By number of tcp syn packets from/to /32 • By number of udp packets from/to /32 15
  16. 16. http://bit.ly/fastnetmon Complete support for most popular attacks for channel overflow • SYN flood • UDP amplification (SSDP, Chargen, DNS, SNMP, NTP) • IP fragmentation 16
  17. 17. http://bit.ly/fastnetmon Example attack report IP: 10.10.10.221 Attack type: syn_flood Initial attack power: 546475 packets per second Peak attack power: 546475 packets per second Attack direction: incoming Attack protocol: tcp Total incoming traffic: 245 mbps Total outgoing traffic: 0 mbps Total incoming pps: 99059 packets per second Total outgoing pps: 0 packets per second Total incoming flows: 98926 flows per second Total outgoing flows: 0 flows per second Average incoming traffic: 45 mbps Average outgoing traffic: 0 mbps Average incoming pps: 99059 packets per second Average outgoing pps: 0 packets per second Incoming ip fragmented traffic: 250 mbps Outgoing ip fragmented traffic: 0 mbps Incoming ip fragmented pps: 546475 packets per second Outgoing ip fragmented pps: 0 packets per second Incoming tcp traffic: 250 mbps Outgoing tcp traffic: 0 mbps Incoming tcp pps: 546475 packets per second Outgoing tcp pps: 0 packets per second Incoming syn tcp traffic: 250 mbps Outgoing syn tcp traffic: 0 mbps Incoming syn tcp pps: 546475 packets per second Outgoing syn tcp pps: 0 packets per second Incoming udp traffic: 0 mbps Outgoing udp traffic: 0 mbps Incoming udp pps: 0 packets per second 17
  18. 18. http://bit.ly/fastnetmon Deploy scheme 18
  19. 19. http://bit.ly/fastnetmon Attack visualization in Graphite 19
  20. 20. http://bit.ly/fastnetmon How I can help? • If you are Internet Carrier, please offer BGP blackhole for customers • If you are Home ISP or Data Center, please filter outgoing attacks with big attention • Contribute to FastNetMon on GitHub! • Share knowledge about DDoS mitigation 20
  21. 21. http://bit.ly/fastnetmon Thank you for attention! 21 pavel.odintsov@gmail.com
  • IanLi1

    Jun. 26, 2020
  • tjinan

    Nov. 5, 2017
  • SergeyBronnikov

    Jun. 12, 2015
  • alexminza

    Jun. 11, 2015

Speech at NANOG9 about FastNetMon - open source DDoS detection solution: https://github.com/FastVPSEestiOu/fastnetmon

Views

Total views

7,865

On Slideshare

0

From embeds

0

Number of embeds

5,205

Actions

Downloads

88

Shares

0

Comments

0

Likes

4

×