Speaker
A. Bobyshev
(FERMILAB)
Description
In a large campus network, such as Fermilab's ten thousand nodes, scanning initiated
from either outside of or within the campus network raises security concerns, may
have very serious impact on network performance, and even disrupt normal operation of
many services. In this paper we introduce a system for detecting and automatic
blocking of excessive traffic of different nature, scanning, DoS attacks, virus
infected computers. The system, called AutoBlocker, is a distributed computing system
based on quasi-real time analysis of network flow data collected from the border
router and core routers. AutoBlocker also has an interface to accept alerts from the
IDS systems (e.g. BRO, SNORT) that are based on other technologies. The system has
multiple configurable alert levels for the detection of anomalous behavior and
configurable trigger criteria for automated blocking of the scans at the core or
border routers. It has been in use at Fermilab for about 2 years, and become a very
valuable tool to curtail scan activity within the Fermilab campus network.
