search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.4k stars 562 forks source link

Implement support for IPv6 flow-based DDoS detection #938

Open stkonst opened 2 years ago

stkonst commented 2 years ago

The current code-base of fastnetmon is not supporting IPv6 flow-tracking. Thus, when an attacker is hitting our network, we can see at the client the pps and mbps counters increasing but not the flow counters. Thus, the flow-based DDoS detection and mitigation is useless in IPv6. AFAIK, the same issue applies at the advanced/paid version.

Thus, I would like to submit an RFE to the team to have this feature implemented and I am open to share details/requirements if needed.

Kind Regards Stavros

pavel-odintsov commented 2 years ago

Hello!

Thank you for sharing your feedback. Our code relies on fact that 5 tuple can be encoded into 64 bit integer https://github.com/pavel-odintsov/fastnetmon/blob/3a21ef0cb236280c99e4be0eb8791c5a7b4d896f/src/fastnetmon_types.hpp#L304 and it may be quite tricky to rework current approach for IPv6. So we will need some other logic.

I see new logic as completely different approach which stores all flows in tracking table and then does not flush it every period but just counts number of new flows for last period.

stkonst commented 1 year ago

Hi @pavel-odintsov I was wondering if this bug is fixed on the latest (1.2.3) version of FastNetmon.

Thank's in advance.

pavel-odintsov commented 1 year ago

Hello!

No, we had no progress with this feature in latest version.

stkonst commented 1 year ago

Thank you for the quick reply. Any non-binding ETA for a possible delivery of this enhancement?

pavel-odintsov commented 1 year ago

Hello!

I'm sorry but we have no ETA about this task as it's pretty large change from design perspective.