Free-ish Linux Netflow collector/analyser options

Mailman List Mirror (Read Only)
1

I’m looking for a free-ish Linux open sources Netflow collector/analyser. I have 5 Juniper MX routers that will send IPFIX flows to for an ISP network. I’m hoping it is something I can run in AWS/EC2 as I don’t want to worry about storage again in my lifetime. Does anyone have any recommendations?

For reporting I would like to generate basic usage reports to/from IP/Subnet/ASN. It would be great if it could also detect DDoS and activate flowspec back into my core routers but that isn’t a requirement

Thanks

-Matt

2

Try FlowViewer (analyzing, graphing, tending software) + SiLK (robust, high-performance capture software from Carnegie-Mellon).

Pretty full netflow analysis package; free.

See:

Joe

3

[...]

There was a long thread back in January that I think will provide
you many of the suggestions you're seeking. If you haven't seen it, it
starts here:

  <Flow collection and analysis>

John

4

The ELK stack does a good job of collecting netflow records with the addition of Filebeat. Check out my tattle-tale tool that collects netflow data: https://github.com/racompton/tattle-tale It has numerous rules in logstash/conf.d to try to just look for spoofed DDoS amplification requests but if you remove those rules (except for 40-ifName.conf

and 50-reverse-dns.conf) it should be a pretty nice netflow collection solution. If you are looking for a free solution to identify DDoS attacks from netflow and generate Flowspec rules, check out https://github.com/pavel-odintsov/fastnetmon

Also, here’s a doc for best practices when implementing Flowspec: https://www.m3aawg.org/flowspec-BP

-Rich

5

Juniper added sFlow support to MX routers in Junos 18.1R1, https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html

You might want to consider deploying sFlow instead of IPFIX, particularly if you are interested in DDoS mitigation where low latency and visibility into packet headers can be helpful.

-Peter