FastNetMon open source tool to detect DDoS/DDoS

Hello, FreeBSD Community!

I would like to announce our tool for DDoS detection if you missed news about new port! :)

First of all, I want like to say thank you to our maintainer Babak Farrokhi for adding FastNetMon into FreeBSD's ports:

We have support for wide range of protocols:
  • NetFlow v5, v9
  • v4, v5
  • Port mirror/SPAN capture with NETMAP support
And we offer number of very nice options:
  • Complete BGP Flow Spec support, RFC 5575
  • Process and distinguish incoming and/or outgoing traffic
  • Trigger block/notify script if an IP exceeds defined thresholds for packets/bytes/flows per second
  • Thresholds can be configured per-subnet with the hostgroups feature
  • Announce blocked IPs via BGP to routers with ExaBGP
  • GoBGP integration for unicast IPv4 announcements (you need build support manually).
  • Full integration with Graphite and InfluxDB
  • API (you need build support manually)
  • Redis integration
  • MongoDB integration
  • Deep packet inspection for attack traffic
  • netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
  • Filter NetFlow v5 flows or sFLOW packets with LUA scripts (useful for excluding particular ports)
  • Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
  • Works on server/soft-router
  • Detects DoS/DDoS in as little as 1-2 seconds
  • Tested up to 10Gb with 12 Mpps on Intel i7 3820 with Intel NIC 82599
  • Complete plugin support
  • Captures attack fingerprints in PCAP format
  • Complete support for most popular attack types
You could find more details here:

I will follow this thread and you could ask any questions related with FastNetMon here!
Just too bad that the utility is basically somewhat of a bait / placeholder to try and get people to buy into the commercial version. Quoting the official website:

FastNetMon Community provides restricted number of capabilities and could be considered only as framework for building more complicated solutions.

I'm not sure what to make of that, it also makes me question the usability of this thing.

And I mention this because your post up there could be considered as a little misleading. You mention the port and then a whole list of features yet you don't bother to tell us that most of those mentioned features are not supported in the community version. Not to mention the quote I shared above.

I also think that your website is definitely misleading. After all, if you follow the link above then you'll see it mentioned that features such as "Native BGP support", "Native BGP Flow Spec / RFC 5575", "InfluxDB support" are not supported in the community version. But if you then go to the community version feature list, all of a sudden these features are mentioned as being supported. So which is it?

One page claims its not supported and the other says it is. I could imagine that 1 feature could be accounted for a mistake, but a whole list of them? Picture me confused!

All of this gives me the impression that a very heavy emphasis is being put on the commercial aspect of the whole thing. That by itself is not necessarily a bad thing of course, but I get a little weary when I notice oddities such as those mentioned above.

Thank you for feedback! We really appreciate even negative feedback. It helps us to become better. FastNetMon was built with this idea from first days and keep this idea in DNA.

I think you have an incorrect understanding of our community and advanced versions. I'm a bit lazy and I copy and pasted this list from our GitHub page If you could find something which offered but not available in it, please quote it here.

At this moment, all your critics are absolutely misleading.

"Native BGP support" - yes, we have it and we support ExaBGP and GoBGP in community version. Hundreds (thousands?) of users use it. You could check our official mail list for public version and check how much people asking about ExaBGP integrations. It's still external tool but we support it very well.

"Native BGP Flow Spec / RFC 5575" - Yes, we support it for number of attacks. It's a bit worse than engine available in Advanced version but it works and people use it. It support only most popular amplification types like DNS, NTP, SSDP and few other. But you could simple add new protocols using simple code and nDPI.

"InfluxDB support" - Yes, we also support it. We have community contributed dashboards, tons of them! This integration is not native, we suggest using "bridge" available in InfluxDB to read data using Graphite protocol.


I have no idea why you think that our open source version is "bait/placeholder". It works. How could I prove it? Let's check this page:

It solves your problem. Absolutely free. And I even could prove it with link:

It uses completely free and well-known license. Well, it's GPLv2 and I do not need to prove this.

If you are happy with open source version that's fine. We will never force you to buy commercial edition. Because we could not. GPLv2 does not allow us to do it.

I hope I filled all gaps in your understanding of our product. Nevertheless, we are open for critics and still following thread to answer your questions :)
Community (free) user here. I currently use FastNetMon in conjunction with InfluxDB (with Graphite plugin) and Grafana. It works like a charm, and I haven't spent a dime. Check out some Grafana Dashboards (find FastNetMon) that are available, specifically Top Hosts, which I love. I have used both mirrored option and netflow.

To be honest I don't really know what I'm missing with the commercial version as I've been able to do what I need with the community. It's great, free software. And the biggest + I give it is that the author is always active and willing to help in IRC FreeNode #fastnetmon with tips and tricks.

Join if you have questions or issues.
Thanks for the feedback.

Thank you for feedback! We really appreciate even negative feedback. It helps us to become better. FastNetMon was built with this idea from first days and keep this idea in DNA.
Well, not necessarily negative but most certainly a bit critical, yes.

I think you have an incorrect understanding of our community and advanced versions.


At this moment, all your critics are absolutely misleading.
Then please keep in mind that I based all of my comments on information from your own website, as you can see for yourself by following the links I shared. Even so, thanks for clearing it up here.
synthetiq, thanks for the feedback! I appreciate it :)

ShelLuser, yep, our site needs some love in different parts... I agree about it :) But for community version, I suggest to use GitHub page. It consists up to date information about all available options and does not mix community and advanced versions together as we do at the site.

Also, we have special table to compare editions: