GlFlow is speedy (D)DoS logging software designed to log and monitor network traffic.
One great feature of glFlow is that it is platform-agnostic. It was written on FreeBSD and tested on both FreeBSD and Linux. As long as a system has libpcap and OpenSSL, it should work on any OS. The code itself is incredibly portable, making it easy to use on any machine.
The software works by using Cisco Systems' defined "flow" structure, which is a four-value tuple consisting of {srcaddr, srcport, dstaddr, dstport}. The software can detect flooding attacks that keep the same structure throughout the duration of the assault. It calculates the average packet rate in every flow and raises an alarm signal if the predetermined threshold is hit.
Spoofed attacks are also detected through a counter for every host that the software sees, which increments with every new flow created. If the average number of newly created flows corresponding to a specific host in a specific amount of time hits a predefined threshold, an alarm is raised.
One of the best features of glFlow is that it was designed with high speeds in mind. It is capable of detecting attacks at over 500Mbps, which is a significant feat. It accomplishes this feat by implementing a very fast binary tree that allows it to run on a single loop design. This design allows it to clean up inactive flows in less than 0.3 seconds, making it an ideal tool for detecting large floods in real-time.
Installing and running the program is relatively easy. After running "./configure --help," you can tweak the software options to your preference. The thresholds are harcoded in defs.h, so make sure you set them up beforehand. The software consumes about 40MB of system memory and should be run with a filter since it supports BPF.
Overall, I found glFlow to be an incredibly fast and effective tool for preventing DDoS attacks. It's easy to install, and the software is platform-agnostic, making it an excellent addition to any system that needs better security.
Version 0.1.4: N/A