I’m looking for a free-ish Linux open sources Netflow collector/analyser. I have 5 Juniper MX routers that will send IPFIX flows to for an ISP network. I’m hoping it is something I can run in AWS/EC2 as I don’t want to worry about storage again in my lifetime. Does anyone have any recommendations?
For reporting I would like to generate basic usage reports to/from IP/Subnet/ASN. It would be great if it could also detect DDoS and activate flowspec back into my core routers but that isn’t a requirement
Try FlowViewer (analyzing, graphing, tending software) + SiLK (robust, high-performance capture software from Carnegie-Mellon).
Pretty full netflow analysis package; free.
There was a long thread back in January that I think will provide
you many of the suggestions you're seeking. If you haven't seen it, it
<Flow collection and analysis>
The ELK stack does a good job of collecting netflow records with the addition of Filebeat. Check out my tattle-tale tool that collects netflow data: https://github.com/racompton/tattle-tale It has numerous rules in logstash/conf.d to try to just look for spoofed DDoS amplification requests but if you remove those rules (except for 40-ifName.conf
and 50-reverse-dns.conf) it should be a pretty nice netflow collection solution. If you are looking for a free solution to identify DDoS attacks from netflow and generate Flowspec rules, check out https://github.com/pavel-odintsov/fastnetmon
Also, here’s a doc for best practices when implementing Flowspec: https://www.m3aawg.org/flowspec-BP
Juniper added sFlow support to MX routers in Junos 18.1R1, https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html
You might want to consider deploying sFlow instead of IPFIX, particularly if you are interested in DDoS mitigation where low latency and visibility into packet headers can be helpful.