Fermilab Computing Division

CS Document 488-v2

AutoBlocker: A system for detecting and blocking of network scanning

Document #:
Document type:
Submitted by:
Marcia A Teckenbrock
Updated by:
Andrey Bobyshev
Document Created:
20 Sep 2004, 14:59
Contents Revised:
23 Sep 2004, 15:35
Metadata Revised:
20 Jan 2005, 10:28
Viewable by:
  • Public document
Modifiable by:
  • Same as Viewable by

Quick Links:
Latest Version

Other Versions:
23 Sep 2004, 15:24
20 Sep 2004, 14:59
In a large campus network, such at Fermilab, with tens of thousands of nodes, scanning initiated from either outside of or within the campus network raises security concerns. This scanning may have very serious impact on network performance, and even disrupt normal operation of many services. In this paper we introduce a system for detecting and automatic blocking excessive traffic of different kinds of scanning, DoS attacks, virus infected computers. The system, called AutoBlocker, is a distributed computing system based on quasi-real time analysis of network flow data collected from the border router and core switches. AutoBlocker also has an interface to accept alerts from IDS systems (e.g. BRO, SNORT) that are based on other technologies. The system has multiple configurable alert levels for the detection of anomalous behaviour and configurable trigger criteria for automated blocking of scans at the core or border routers. It has been in use at Fermilab for about 2 years, and has become a very valuable tool to curtail scan activity within the Fermilab campus network.
Files in Document:
Other Files:
scanning IDS flow netflow
Notes and Changes:
Fermilab Publication number CONF-04-487-CD
Associated with Events:
CHEP2004 held from 27 Sep 2004 to 01 Oct 2004 in Interlaken, Switzerland
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators