Implement support for IPv6 flow-based DDoS detection

[stkonst]

The current code-base of fastnetmon is not supporting IPv6 flow-tracking. Thus, when an attacker is hitting our network, we can see at the client the pps and mbps counters increasing but not the flow counters. Thus, the flow-based DDoS detection and mitigation is useless in IPv6. AFAIK, the same issue applies at the advanced/paid version.

Thus, I would like to submit an RFE to the team to have this feature implemented and I am open to share details/requirements if needed.

Kind Regards
Stavros

[pavel-odintsov]

Hello!

Thank you for sharing your feedback. Our code relies on fact that 5 tuple can be encoded into 64 bit integer

fastnetmon/src/fastnetmon_types.hpp

Line 304 in 3a21ef0

packed_conntrack_hash_t() : opposite_ip(0), src_port(0), dst_port(0) {

and it may be quite tricky to rework current approach for IPv6. So we will need some other logic.

I see new logic as completely different approach which stores all flows in tracking table and then does not flush it every period but just counts number of new flows for last period.

[stkonst]

Hi @pavel-odintsov I was wondering if this bug is fixed on the latest (1.2.3) version of FastNetmon.

Thank's in advance.

[pavel-odintsov]

Hello! No, we had no progress with this feature in latest version.

[stkonst]

Thank you for the quick reply. Any non-binding ETA for a possible delivery of this enhancement?

[pavel-odintsov]

Hello! I'm sorry but we have no ETA about this task as it's pretty large change from design perspective.