Skip to content

NET HEALER receive DDoS Attack reports from FastNetMon collectors allowing custom triggers on a per stage based actions.

Notifications You must be signed in to change notification settings

zenvdeluca/net_healer

Repository files navigation

NET HEALER

NET HEALER receive DDoS Attack reports from FastNetMon collectors allowing custom triggers on a per stage based actions.
Allows integration with non gaussian algorithms for anomaly detection.
Provides a RESTful like API

STAGES

  • clear - no Attack Reports received for any /32 target
  • warning - less or equal to 2 Attack Reports received for /32 target(s)
  • critical - more than 2 Attack Reports received for /32 target(s)
  • under_attack - FastNetMon + anomaly detected

Each 1 FNM /32 ban = 1 NET HEALER Attack Report
Lower the FNM ban time, faster NET HEALER will advance in stages (thresholds can be customized)
Start with FNM ban time: 45 seconds (NET HEALER will converge from cleared to warning after 90 seconds)

ACTIONS

  • Grafana vertical bars markdown including stage/target(s)
  • Email
  • Pagerduty
  • Flowdock chat messages
  • BGP announces (BIRD + kernel blackhole tables)

Requirements

Nice to have

##Installation 0. FastNetMon (FNM) should be configured to use:

  1. install ruby (https://www.ruby-lang.org/en/documentation/installation/)
  2. $ gem install bundler
  3. $ bundle install
  4. $ bundle exec script/bootstrap
  5. Populate .env with a config
  6. $ bundle exec script/start

Screenshot during an attack

alt tag

##How to query the API

GET /healer/v1/ddos/status

{
  "status": "clear",
  "timestamp": "20150913-115403"
}

GET /healer/v1/ddos/reports

{
    "reports": {
        "200.200.200.10": {
            "fqdn": "nethealer.hostingxpto.com",
            "attack_type": "udp_flood",
            "alerts": 2,
            "protocol": [
                "udp"
            ],
            "incoming": {
                "total": {
                    "mbps": 2894.96,
                    "pps": 781380,
                    "flows": 628
                },
                "tcp": {
                    "mbps": 1.71,
                    "pps": 2654,
                    "syn": {
                        "mbps": 0.08,
                        "pps": 109
                    }
                },
                "udp": {
                    "mbps": 2761,
                    "pps": 779884
                },
                "icmp": {
                    "mbps": 0,
                    "pps": 0
                }
            }
        }
    }
}

### GET /healer/v1/ddos/brief 
=> query /32 targets + amount of current Attack Reports
```json
{
  "reports": {
    "200.200.200.10": 3,
  },
  "timestamp": "20150913-030255"
}

WORK IN PROGRESS

=> PRs are more than welcome !

Need help ?

send me an email vdeluca@zendesk.com

About

NET HEALER receive DDoS Attack reports from FastNetMon collectors allowing custom triggers on a per stage based actions.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •