NET HEALER centralizes DDoS Attack Reports from FastNetMon collectors, allowing custom notification / mitigation rules, as well integration with lossy count non-gaussian algorithm to help anomaly detection and avoid false positives.
It provides an API abstraction via https. see examples below
- cleared - no Attack Reports received for any /32 target
- warning - less than 3 Attack Reports received for /32 target(s)
- critical - more than [x] Attack Reports received for /32 target(s)
- under_attack - more than critical :) it means FNM + other algorithms detected an ongoing attack
Each 1 FNM /32 ban = 1 NET HEALER Attack Report
Lower the FNM ban time, faster NET HEALER will advance in stages (thresholds can be customized)
Start with FNM ban time: 30 seconds (NET HEALER will converge from cleared to warning after 90 seconds)
Working:
- Grafana vertical bars markdown including state/target (OK)
- email (OK-beta)
- pagerduty (OK)
WIP:
- BGP blackhole or scrubbing center routing
- flowdock messages note: custom integrations should be moved to plugins/ in a future
- FastNetMon: a super cool tool written by Pavel Odintsov - https://github.com/FastVPSEestiOu/fastnetmon
- Morgoth (https://github.com/nathanielc/morgoth)
- Redis (https://github.com/antirez/redis)
- InfluxDB (https://github.com/influxdb/influxdb)
- Grafana (https://github.com/grafana/grafana)
##Installation 0. FastNetMon (FNM) should be configured to use:
- Redis (https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/REDIS.md)
- InfluxDB (https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INFLUXDB_INTEGRATION.md)
- install ruby (https://www.ruby-lang.org/en/documentation/installation/)
$ gem install bundler
$ bundle install
$ bundle exec script/bootstrap
- Populate
.env
with a config $ bundle exec script/start
##How to query the API
{
"status": "clear",
"timestamp": "20150913-115403"
}
{
"reports": {
"200.200.200.10": {
"fqdn": "nethealer.hostingxpto.com",
"attack_type": "udp_flood",
"alerts": 2,
"protocol": [
"udp"
],
"incoming": {
"total": {
"mbps": 2894.96,
"pps": 781380,
"flows": 628
},
"tcp": {
"mbps": 1.71,
"pps": 2654,
"syn": {
"mbps": 0.08,
"pps": 109
}
},
"udp": {
"mbps": 2761,
"pps": 779884
},
"icmp": {
"mbps": 0,
"pps": 0
}
}
}
}
}
=> query current DDoS reports + packet capture
[output supressed]
=> query /32 targets + amount of current Attack Reports
{
"reports": {
"200.200.200.10": 3,
},
"timestamp": "20150913-030255"
}
=> PRs are more than welcome !