Ten years ago, I wrote the first lines of FastNetMon in my home lab, trying to detect volumetric Distributed Denial-of-Service DDoS attacks in a small data centre environment I was managing. What started as a proof-of-concept tool with hardcoded thresholds and no config file has since grown into a globally deployed open source DDoS detection system, shaped entirely by the needs and input of the network operator community.
In this post, I want to reflect on two parallel journeys: How DDoS attacks have evolved over the last decade, and how the FastNetMon Community project has grown in response — from a homegrown script to a battle-tested detection platform trusted by ISPs, hosting providers, and enterprises.
2013: When volumetric floods were enough
In 2013, most DDoS threats looked similar: SYN floods, UDP floods, and ICMP floods. These were relatively easy to detect with simple packet-per-second counters. FastNetMon started as a PoC for that use case, processing mirrored traffic at about 2Gbps and triggering alerts when it saw more than 10,000 packets per second.
At the time, that was enough. But it was clear this wouldn’t last.
By late 2014, amplification attacks using NTP and DNS reflection became mainstream. These dramatically increased the scale of attacks without increasing attacker resources. Meanwhile, the rise of insecure IoT devices — later exploited by botnets like Mirai — made it easy to distribute traffic across thousands of sources.
We had to adapt. FastNetMon integrated support for PF_RING to scale with traffic demands. Then came sFlow and Netflow support, helping us cover more architectures beyond simple port mirroring.
2015 – 2017: From PoC to MVP, and more persistent threats
In early 2015, FastNetMon reached version 1.1.1 — the first truly complete release. It featured flow support, Border Gateway Policy (BGP) integration, and exponential moving average algorithms that still power our detection logic today.
Around the same time, attackers were shifting tactics. While we focused on detecting volumetric and protocol-layer attacks, the broader DDoS landscape saw a rise in Layer 7
attacks targeting application endpoints. These were outside our scope but signalled the growing complexity operators would face.
Another challenge emerged: ‘DDoS-for-hire’ platforms, or booter services. These made it easy for low-skill actors to launch large-scale attacks using rented botnets. We began seeing more diverse campaigns from more varied sources, often at rates high enough to overwhelm even large providers.
To help operators keep up, we focused on improving visibility and detection speed for volumetric threats — areas where FastNetMon excels today.
2018 – 2022: Scale and ransom demand
As attack sophistication grew, so did their size. Providers like AWS, Google, and Microsoft Azure reported record-breaking DDoS attacks above 2Tbps. Attackers combined multiple amplification vectors — memcached, CLDAP, WS-Discovery — in large-scale, multi-vector floods.
Ransom-driven attacks (RDDoS) became increasingly common. Attackers would initiate a short burst, then demand cryptocurrency payments to stop. These campaigns frequently targeted sectors that could least afford downtime — finance, healthcare, and public infrastructure.
FastNetMon Community introduced features to support automated traffic analysis and response, including Grafana integrations and fully integrated BGP blackholing (based on ExaBGP and GoBGP). These tools helped operators act quickly at the network edge during high-volume attacks.
Pavel details the capabilities of FastNetMon Community at at DKNOG13.
2023 – Today: Geopolitical tensions and automation
DDoS attacks are no longer just about profit — they’ve become tools of disruption in politically charged contexts. State-aligned actors and hacktivist groups increasingly target critical infrastructure and public services as part of broader geopolitical agendas.
Modern campaigns often route traffic through proxy networks and VPNs, making attribution and mitigation more complex. At the same time, automation and AI have enabled attackers to launch adaptive, multi-phase attacks with minimal effort.
FastNetMon continues to focus on detecting high-speed volumetric and protocol-layer attacks — the foundation of most large-scale DDoS campaigns — while refining performance to meet the demands of today’s threat environment.
Community-driven development
Throughout this journey, one thing hasn’t changed: Our commitment to the open source community.
Every major feature — from sFlow and Netflow v9 to IPFIX, BGP support, and more — came directly from operator feedback. Every performance improvement and integration request was rooted in real-world use.
FastNetMon’s flexibility and scalability are the direct result of these conversations, whether in a GitHub issue, a NANOG thread, or a presentation hall at RIPE or NLNOG. This feedback loop is why FastNetMon still holds up in production networks a decade later.
What we’ve learned from 10 years of building open source
After a decade of building and maintaining FastNetMon in production networks, we’ve learned what actually works — and what doesn’t — when it comes to open source and network security:
- Build for operators, not headlines. We’ve never chased hype. Every feature in FastNetMon exists because someone running real infrastructure needed it — not because it looked good in a press release.
- Performance isn’t optional. If your DDoS detection can’t keep up with line-rate traffic, it’s not usable. We’ve spent years tuning FastNetMon for raw speed — and we benchmark every update with that in mind.
- Feedback is your product roadmap. We don’t guess what to build next. Our community tells us. If a feature doesn’t solve a real problem for real users, it doesn’t make it into the codebase.
- Simplicity scales. FastNetMon avoids unnecessary complexity. Operators want tools that are fast, reliable, and easy to integrate — not black boxes with a steep learning curve.
- Open source wins trust. By keeping FastNetMon Community fully open, we’ve gained users who audit the code, contribute improvements, and deploy it with confidence.
Today, FastNetMon Community continues to do what it was built for: Fast, efficient detection of DDoS attacks at the network level. And while we’ve seen the threat landscape evolve dramatically, our core mission — to make effective DDoS detection accessible and open — remains the same.
We look forward to the next ten years, powered by community and guided by real-world operator needs.
Pavel is the author of FastNetMon, an open source DDoS detection tool with a variety of traffic capture methods and works in software development and community management.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.