Community Edition

FastNetMon - A high-performance DDoS detector/sensor built on top of multiple packet capture engines: NetFlow, IPFIX, sFlow, AF_PACKET (port mirror).

What do we do?

We detect hosts in the deployed network sending or receiving large volumes of traffic, packets/bytes/flows per second and perform a configurable action to handle that event. These configurable actions include notifying you, calling script or making BGP announcements.

Project

🌏️ Official site
⭐️ FastNetMon Advanced, Commercial Edition
🌟️ FastNetMon Advanced, free one-month trial
📜️ FastNetMon Advanced and Community difference table
📘️ Detailed reference
🔏️ Privacy policy

Installation

• Linux install instructions
• macOS install instructions
• FreeBSD port
• VyOS bundled support

Supported packet capture engines

• NetFlow v5, v9, v9 Lite
• IPFIX
• v5
• PCAP
• AF_PACKET (recommended)
• AF_XDP (XDP based capture)
• Netmap (deprecated, still supported only for FreeBSD)
• PF_RING / PF_RING ZC (deprecated, available only for CentOS 6 in 1.2.0)

You can check out the comparison table for all available packet capture engines.

Features

• Detects DoS/DDoS in as little as 1-2 seconds
• Scales up to terabits on single server (sFlow, Netflow, IPFIX) or to 40G + in mirror mode
• Trigger block/notify script if an IP exceeds defined thresholds for packets/bytes/flows per second
• Complete support for most popular attack types
• Thresholds can be configured per-subnet basis with the hostgroups feature
• Email notifications about detected attack
• Complete IPv6 support
• Prometheus support: system metrics and total traffic counters
• Flow and packet export to Kafka in JSON and Protobuf format
• Announce blocked IPs via BGP to routers with ExaBGP or GoBGP (recommended)
• Full integration with InfluxDB and Graphite
• API
• Redis integration
• MongoDB protocol support compatible with native MongoDB and FerretDB
• VLAN untagging in mirror and sFlow modes
• Capture attack fingerprints in PCAP format

We track multiple platform and environment-specific metrics to understand ways how our product is being used and prioritise development accordingly.

Official support groups:

• Mailing list
• Slack
• IRC: #fastnetmon at irc.libera.chat:6697 (TLS) web client
• Telegram: fastnetmon
• Discord: fastnetmon

Follow us at social media:

• Twitter
• LinkedIn
• Facebook

Router integration instructions

• Juniper MX Routers

Complete integration with the following vendors

• Juniper integration
• A10 Networks Thunder TPS Appliance integration
• MikroTik RouterOS

Screenshots

Command line interface

Standard Grafana dashboard

Example deployment scheme

Legal

FastNetMon is a product of FastNetMon LTD, UK. FastNetMon ® is a registered trademark in the UK and EU.

CI build status

Upstream versions in different distributions