21.11.2018

Automatic blocks for remote attackers

Since version 2.0.116 FastNetMon got new experimental ability¬† to detect remote attacker’s (/32 hosts) and announce them using BGP Unicast announces.

To use this option, please enable this mode in FastNetMon:

You can enable actions separately for incoming and outgoing directions of traffic:

To specify threshold values for remote hosts we use host groups with special names:

  • remote_host_incoming
  • remote_host_outgoing

You can create example host groups this way:

After these configuration steps FastNetMon will block all remote hosts which exceed 10Mbits of traffic in any direction.

You can list blocked hosts this way:

In addition to this, FastNetMon can generate BGP announces for blocked hosts and you can block them using your routers:

You also can configure community and next hop for these announces:

Please be careful with really heavily loaded networks because FastNetMon does not free up tracking entries and can consume significant amount of memory.