fastnetmon v1.1.4 releases: very fast DDoS analyzer

FastNetMon – A high-performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).

What can we do? We can detect hosts in our networks sending or receiving large volumes of packets/bytes/flows per second. We can call an external script to notify you, switch off a server, or blackhole the client.

To enable sFLOW, simply specify IP of the server running FastNetMon and specify (configurable) port 6343 To enable NetFlow, simply specify IP of the server running FastNetMon and specify (configurable) port 2055

What is a “flow” in FastNetMon terms? It’s one or multiple UDP, TCP, or ICMP connections with unique src IP, dst IP, src port, dst port, and protocol.


  • Complete BGP Flow Spec support, RFC 5575
  • Process and distinguish incoming and/or outgoing traffic
  • Trigger block/notify script if an IP exceeds defined thresholds for packets/bytes/flows per second
  • Thresholds can be configured per-subnet with the hostgroups feature
  • Announce blocked IPs via BGP to routers with ExaBGP
  • GoBGP integration for unicast IPv4 announcements (you need build support manually).
  • Full integration with Graphite and InfluxDB
  • API (you need build support manually)
  • Redis integration
  • MongoDB integration
  • Deep packet inspection for attack traffic
  • netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
  • SnabbSwitch support (open source, very flexible, LUA drove, very-very-very fast)
  • Filter NetFlow v5 flows or sFLOW packets with LUA scripts (useful for excluding particular ports)
  • Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
  • Works on server/soft-router
  • Detects DoS/DDoS in as little as 1-2 seconds
  • Tested up to 10Gb with 12 Mpps on Intel i7 3820 with Intel NIC 82599
  • Complete plugin support
  • Captures attack fingerprints in PCAP format
  • Complete support for most popular attack types

Main screen image

Example CPU load on Intel i7 2600 with Intel X540/82599 NIC at 400 kpps load: Cpu consumption

Example deployment scheme: Network diagramm

Changelog v1.1.4


  • Improved compatibility with new version of nDPI
  • Improved integration with A-10 Networks with plugin
  • Suppressed excessive logging about missing IPFIX options
  • Improved configuration file parser
  • Added option to specify custom file path to log file
  • Added txt extension for attack dumps
  • Switched Mikrotik integration code to well known Blackhole community number according to RFC7999
  • Added support for Ubuntu 18.04
  • Improved systemd unit to restart FastNetMon in case of crash
  • Added notification about attacks in Mikrotik’s global log file
  • Fixed bug for IPv6 traffic direction detection code
  • Added Debian 9 support
  • Added Ubuntu 16.04 support
  • Introduced option –use-modern-pf-ring to install latest PF_RING
  • Removed code which uses x86 only features to improve portability
  • FastNetMon will not not export empty metrics to Graphite
  • Introduced cmake option to disable Netmap plugin completely
  • Added ifconfig to dependencies for CentOS 7
  • Added support for Memory Model Aware Atomic Operations to improve portability
  • Added support for OpenBSD
  • Disabled non-protable CPU affinity code for non-GNU libc platforms
  • Added Juniper integration plugin
  • Fixed insecure permissions for /tmp/fastnetmon.dat
  • Fixed build process for json-c on systems with fresh gcc


FastNetMon – High-Performance DDoS sensor software
Copyright 2017 FastNetMon LTD