Skip to content
NET HEALER receive DDoS Attack reports from FastNetMon collectors allowing custom triggers on a per stage based actions.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
actions-available fixing pagerduty Apr 25, 2016
actions-enabled
config
extra add my fastnetmon.conf example Apr 3, 2016
lib adding bgp action (BIRD integration by linux kernel route) +·adding A… Apr 16, 2016
log initial commit \o/ - basic functions working with FastNetMon Jul 13, 2015
routes
script
spec Add Rspec gem Jul 21, 2015
.env.example
.gitignore updating readme Apr 19, 2016
.rspec
Gemfile add pagerduty notification support / fix minor issues Sep 18, 2015
Gemfile.lock refactoring pooling strategy. now only used for graphing, not alerts.… Mar 27, 2016
README.md updating readme Apr 19, 2016
app_config.rb
config.ru initial commit \o/ - basic functions working with FastNetMon Jul 13, 2015
healer.rb

README.md

NET HEALER

NET HEALER receive DDoS Attack reports from FastNetMon collectors allowing custom triggers on a per stage based actions.
Allows integration with non gaussian algorithms for anomaly detection.
Provides a RESTful like API

STAGES

  • clear - no Attack Reports received for any /32 target
  • warning - less or equal to 2 Attack Reports received for /32 target(s)
  • critical - more than 2 Attack Reports received for /32 target(s)
  • under_attack - FastNetMon + anomaly detected

Each 1 FNM /32 ban = 1 NET HEALER Attack Report
Lower the FNM ban time, faster NET HEALER will advance in stages (thresholds can be customized)
Start with FNM ban time: 45 seconds (NET HEALER will converge from cleared to warning after 90 seconds)

ACTIONS

  • Grafana vertical bars markdown including stage/target(s)
  • Email
  • Pagerduty
  • Flowdock chat messages
  • BGP announces (BIRD + kernel blackhole tables)

Requirements

Nice to have

##Installation 0. FastNetMon (FNM) should be configured to use:

  1. install ruby (https://www.ruby-lang.org/en/documentation/installation/)
  2. $ gem install bundler
  3. $ bundle install
  4. $ bundle exec script/bootstrap
  5. Populate .env with a config
  6. $ bundle exec script/start

Screenshot during an attack

alt tag

##How to query the API

GET /healer/v1/ddos/status

{
  "status": "clear",
  "timestamp": "20150913-115403"
}

GET /healer/v1/ddos/reports

{
    "reports": {
        "200.200.200.10": {
            "fqdn": "nethealer.hostingxpto.com",
            "attack_type": "udp_flood",
            "alerts": 2,
            "protocol": [
                "udp"
            ],
            "incoming": {
                "total": {
                    "mbps": 2894.96,
                    "pps": 781380,
                    "flows": 628
                },
                "tcp": {
                    "mbps": 1.71,
                    "pps": 2654,
                    "syn": {
                        "mbps": 0.08,
                        "pps": 109
                    }
                },
                "udp": {
                    "mbps": 2761,
                    "pps": 779884
                },
                "icmp": {
                    "mbps": 0,
                    "pps": 0
                }
            }
        }
    }
}

### GET /healer/v1/ddos/brief 
=> query /32 targets + amount of current Attack Reports
```json
{
  "reports": {
    "200.200.200.10": 3,
  },
  "timestamp": "20150913-030255"
}

WORK IN PROGRESS

=> PRs are more than welcome !

Need help ?

send me an email vdeluca@zendesk.com

You can’t perform that action at this time.