21.11.2018

Automatic blocks for remote attackers

Since version 2.0.116 FastNetMon got new experimental ability¬† to detect remote attacker’s (/32 hosts) and announce them using BGP Unicast announces.

Known restrictions:

  • No automatic unblock option
  • Lack of automatic counter cleanup. Leads to speed calculation delays for loaded networks. In some cases can be fixed by frequent FastNetMon restarts

To use this option, please enable this mode in FastNetMon:

You also can get top remote talkers this way (since FastNetMon 2.0.151):

You can enable actions separately for incoming and outgoing directions of traffic:

To specify threshold values for remote hosts we use host groups with special names:

  • remote_host_incoming
  • remote_host_outgoing

You can create example host groups this way:

After these configuration steps FastNetMon will block all remote hosts which exceed 10Mbits of traffic in any direction.

You can list blocked hosts this way:

In addition to this, FastNetMon can generate BGP announces for blocked hosts and you can block them using your routers:

You also can configure community and next hop for these announces:

You can manually block some host using fcli interface:

To unblock some host, please use uuid from list command:

Please be careful with really heavily loaded networks because FastNetMon does not free up tracking entries and can consume significant amount of memory.