search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.4k stars 563 forks source link

Implement http flood monitoring toolkit #137

Closed pavel-odintsov closed 7 years ago

pavel-odintsov commented 9 years ago

We should implement stand alone htttp flood monitoring software for in place ddos mitigation on heavy loaded web servers.

In addition we could parse SSL SNI.

pavel-odintsov commented 9 years ago

We could do this with https://github.com/h2o/picohttpparser

okv commented 8 years ago

@pavel-odintsov any updates on implementing http flood detection?

pavel-odintsov commented 8 years ago

Hello!

No, actually. For HTTP we need intrusive mode with full packet filtering. We are working with sampled packet capture (sflow and netflow) and in this case we actually haven'y any information about http request or they sampled with very big rate.

We have this in road map but without any ETA. If you need it so much we could discuss it in details. My email: pavel.odintsov@gmail.com

okv commented 8 years ago

I'm very interested in layer 7 ddos attacks detection, i'll write you soon.

craig commented 8 years ago

I'm really interested in this one, too! I've given it some thought, and it might be the best idea to save http requests into an elasticsearch. With something like yara, maybe existing snort rules it would be possible to easily block known L7-tools? But that would be very static; and we need behaviour rules like: one IP is querying url /search.php?q=[RANDOM] more than once per minute. Or is doing GET / HTTP/1.1, but never fetching any CSS. That's a lot harder to do.

pavel-odintsov commented 7 years ago

I see no reasons to add L7 attacks to FastNetMon at this moment. Why? Because if you care about L7 mitigation you need to use some middle box (nginx? tengine? haproxy?) to pass all traffic over your equipment.

Transparent detection from mirror it's a complete waste of your time because you could not use BGP Flow spec of BGP unicast to prevent such attacks.

craig commented 7 years ago

You could still generate some filter rules and inject them into firewalls (maybe as an ipset), but I agree that it's better to implement in the middle box. Thanks for the explanation,

pavel-odintsov commented 7 years ago

It's too complicated to handle L7 attacks. More that 75% of the modern web is encrypted. So, we could not do ipset also.