>What can we do? We can detect hosts in our networks sending or receiving large volumes of packets/bytes/flows per second. We can call an external script to notify you, switch off a server, or blackhole the client.

Watch out when implementing this stuff, it goes wrong way too often. At this point I have hard time not literally screaming at DC techs when my servers get suspended for "UDP flooding"[1] each other.

[1] Otherwise known as OpenVPN

Btw, I recommend to use project's site, it's much times more informative than GitHub repository: https://fastnetmon.com

Bizarrely, that site disables not only my trackpad for scrolling, but also my cursor keys. I have to drag my pointer over to the scrollbar and move the page that way, like it's 1995.

We are working on it, will fix soon!

While you are at it, maybe make it work without javascript as well? Not everyone has it enabled for untrusted web sites, especially here.

Sorry, it's very-very complicated to get it working without javascript.

Project site has some pretty aggressive scroll hijacking, it was basically unusable on my macbook 13" under Chrome... Guys, just drop the scroll hijacking.

That's from a CloudFlare DNS Engineer -- someone that knows and likely handles DDoS on a daily basis.

That was before cloudflare. But good to know he works there now.

Correct, I'm DNS guy right now :)

Congrats, Pavel!

Thanks!

Looks very nice. At my last place one of the enineers made something similar based on netflow and it worked really well, integrated with FlowSpec for mitigation.

Might give it a look.... even the screenshot of the real time top talkers looks like something interesting for the NOC to have up.

Impressive performance and integration. What proprietary products is this disrupting?

None, but it's a nice alternative for those on a small budget who would otherwise have nothing at all.

Ok, so whats missing? What does the company that bridges that gap look like?

"This personal computer looks like a nice alternative for companies with a small budget for a mainframe who would otherwise have nothing at all"

FastNetMon is kind of a hammer: inbound traffic to $x is exceeding bps or pps threshold -> trigger mitigation for $x (i.e. a remote blackhole). This is generally good enough to defend against the least sophisticated and most common attacks such as NTP, SSDP, DNS amplification attacks. Then there's a long tail of other attack types are not volumetric in nature and are more difficult to detect. That's a big part of what you pay for when you buy a commercial solution.

Then once an attack has been identified you want to specify mitigation policies: Customer A gets full mitigation, but customer B needs to be blackholed instead. If an attack is smaller than 10Gbps you want to simply insert some flowspec rules into your edge routers, but if the attack pattern is too random you will have to redirect a /32 to a specialized scrubbing device instead. Larger attacks you might want to announce through a DDoS protection service so you announce the /24 containing that IP address to your DDoS protection service to reduce bandwidth on your own uplinks, and so on. I could go on, I hope you get the idea :)

It's correct only partially :) Recently I released support for host groups (custom entities with different thresholds): https://fastnetmon.com/2015/07/07/per-subnet-thresholds/

As next step I could offer custom rules for mitigation depending on host group name.

Got it thanks. Interesting. So do the usual router suspects (Cisco, Juniper etc) own this market? Does Google/AWS roll their own solutions? Any interesting startups taking them on?

Arbor Networks (now part of Netscout) is the incumbent in this area. Kentik is the disruptive SaaS-based startup.

Radware, Nsfocus, A10 Networks also here.

Yes, it's really perfect for small companies who could not but expensive filtering boxes. They could cover most popular attacks with it.

is there anything like this for windows?? (please dont hate me)

You could run FastNetMon on Windows 10 with Linux environment and Docker. We have happy users with such install :)

+1 happy user here

Thanks Vicente!