Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NANOG>
  3. users
Free-ish Linux Netflow collector/analyser options
matthew at corp
May 16, 2022, 11:34 AM
Post #1 of 5 (190 views)
Permalink
I?m looking for a free-ish Linux open sources Netflow collector/analyser. I have 5 Juniper MX routers that will send IPFIX flows to for an ISP network. I?m hoping it is something I can run in AWS/EC2 as I don?t want to worry about storage again in my lifetime. Does anyone have any recommendations?

For reporting I would like to generate basic usage reports to/from IP/Subnet/ASN. It would be great if it could also detect DDoS and activate flowspec back into my core routers but that isn?t a requirement

Thanks

-Matt
Re: Free-ish Linux Netflow collector/analyser options [ In reply to ]
jloiacon at gmail
May 16, 2022, 12:09 PM
Post #2 of 5 (190 views)
Permalink
Try FlowViewer (analyzing, graphing, tending software) + SiLK (robust,
high-performance capture software from Carnegie-Mellon).

Pretty full netflow analysis package; free.

See: http://flowviewer.net

Joe

On 5/16/2022 2:34 PM, Matthew Crocker wrote:
>
> I’m looking for a free-ish Linux open sources Netflow
> collector/analyser.  I have 5 Juniper MX routers that will send IPFIX
> flows to for an ISP network.    I’m hoping it is something I can run
> in AWS/EC2 as I don’t want to worry about storage again in my
> lifetime.  Does anyone have any recommendations?
>
> For reporting I would like to generate basic  usage reports to/from
> IP/Subnet/ASN.  It would be great if it could also detect DDoS and
> activate flowspec back into my core routers but that isn’t a requirement
>
> Thanks
>
> -Matt
>
Re: Free-ish Linux Netflow collector/analyser options [ In reply to ]
jtk at dataplane
May 16, 2022, 12:16 PM
Post #3 of 5 (190 views)
Permalink
On Mon, 16 May 2022 18:34:29 +0000
Matthew Crocker <matthew@corp.crocker.com> wrote:

> I’m looking for a free-ish Linux open sources Netflow
> collector/analyser.
[...]

There was a long thread back in January that I think will provide
you many of the suggestions you're seeking. If you haven't seen it, it
starts here:

<https://mailman.nanog.org/pipermail/nanog/2022-January/217354.html>

John
Re: [EXTERNAL] Re: Free-ish Linux Netflow collector/analyser options [ In reply to ]
Rich.Compton at charter
May 17, 2022, 8:45 AM
Post #4 of 5 (189 views)
Permalink
The ELK stack does a good job of collecting netflow records with the addition of Filebeat. Check out my tattle-tale tool that collects netflow data: https://github.com/racompton/tattle-tale It has numerous rules in logstash/conf.d to try to just look for spoofed DDoS amplification requests but if you remove those rules (except for 40-ifName.conf<https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/40-ifName.conf>
and 50-reverse-dns.conf<https://github.com/racompton/tattle-tale/blob/main/logstash/conf.d/50-reverse-dns.conf>) it should be a pretty nice netflow collection solution. If you are looking for a free solution to identify DDoS attacks from netflow and generate Flowspec rules, check out https://github.com/pavel-odintsov/fastnetmon
Also, here’s a doc for best practices when implementing Flowspec: https://www.m3aawg.org/flowspec-BP

-Rich

From: NANOG <nanog-bounces+rich.compton=charter.com@nanog.org> on behalf of Joe Loiacono <jloiacon@gmail.com>
Date: Monday, May 16, 2022 at 1:11 PM
To: NANOG list <nanog@nanog.org>, Matthew Crocker <matthew@corp.crocker.com>
Subject: [EXTERNAL] Re: Free-ish Linux Netflow collector/analyser options

CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.

Try FlowViewer (analyzing, graphing, tending software) + SiLK (robust, high-performance capture software from Carnegie-Mellon).

Pretty full netflow analysis package; free.

See: http://flowviewer.net

Joe
On 5/16/2022 2:34 PM, Matthew Crocker wrote:

I’m looking for a free-ish Linux open sources Netflow collector/analyser. I have 5 Juniper MX routers that will send IPFIX flows to for an ISP network. I’m hoping it is something I can run in AWS/EC2 as I don’t want to worry about storage again in my lifetime. Does anyone have any recommendations?

For reporting I would like to generate basic usage reports to/from IP/Subnet/ASN. It would be great if it could also detect DDoS and activate flowspec back into my core routers but that isn’t a requirement

Thanks

-Matt
Re: Free-ish Linux Netflow collector/analyser options [ In reply to ]
peter.phaal at gmail
May 17, 2022, 9:28 AM
Post #5 of 5 (189 views)
Permalink
Juniper added sFlow support to MX routers in Junos 18.1R1,
https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html

You might want to consider deploying sFlow instead of IPFIX, particularly
if you are interested in DDoS mitigation where low latency and visibility
into packet headers can be helpful.

-Peter

On Mon, May 16, 2022 at 11:36 AM Matthew Crocker <matthew@corp.crocker.com>
wrote:

>
>
> I’m looking for a free-ish Linux open sources Netflow collector/analyser.
> I have 5 Juniper MX routers that will send IPFIX flows to for an ISP
> network. I’m hoping it is something I can run in AWS/EC2 as I don’t want
> to worry about storage again in my lifetime. Does anyone have any
> recommendations?
>
>
>
> For reporting I would like to generate basic usage reports to/from
> IP/Subnet/ASN. It would be great if it could also detect DDoS and activate
> flowspec back into my core routers but that isn’t a requirement
>
>
>
> Thanks
>
>
>
> -Matt
>
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal