Running speedtest.net Bans my own subnets ips, normal?

[rwrocket]

Attached my config file I finally got pfring port mirror workinf with influxdb + grafana + mikrotik script.

All seems to work pretty well, now I am just fine tuning attack detection. For the sake of testing I have taken my attack thresholds right down so I can test what happens in an attack. I find that visiting speedtest.net consistently creates an attack and puts MY IP on the ban list.

My question is, is this normal? I expected maybe the external IPs outside my network would be banned and not my IP address that is inside the subnets in my networks_list.

Is this because when using speedtest.net the outside connections come from multiple IPs but the destination is just one IP on my side?

I wonder if there is a way to ban the DDoSers and not the DDoSed in an attack?

Ubuntu 14.04 latest fastnetmon release pfring Attacked attack log emails and fastnetmon.conf ddos_attack2.zip

[pavel-odintsov]

It's expected, FastNetMon does not block attackers, it blocks your IP. On Thu, 22 Dec 2016 at 03:46, rwrocket notifications@github.com wrote:

Attached my config file

I finally got pfring port mirror workinf with influxdb + grafana + mikrotik script.

All seems to work pretty well, now I am just fine tuning attack detection.

For the sake of testing I have taken my attack thresholds right down so I can test what happens in an attack.

I find that visiting speedtest.net consistently creates an attack and puts MY IP on the ban list.

My question is, is this normal? I expected maybe the external IPs outside my network would be banned and not my IP address that is inside the subnets in my networks_list.

Is this because when using speedtest.net the outside connections come from multiple IPs but the destination is just one IP on my side?

I wonder if there is a way to ban the DDoSers and not the DDoSed in an attack?

Ubuntu 14.04

latest fastnetmon release

pfring

Attacked attack log emails and fastnetmon.conf

ddos_attack2.zip https://github.com/pavel-odintsov/fastnetmon/files/667953/ddos_attack2.zip

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/619, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZiYxOQ_k4wbpZwd7jhQdcWkPNd8Zks5rKfKngaJpZM4LTnSi .

[pavel-odintsov]

Btw, you could use flow spec mode and block attackers instead :) But it's pretty tricky sometimes and you could need to hack code for new attack patterns.

[winkmichael]

That is the idea of fastnetmon, it is going to block, or rather null route any address you (e.g. your ip addresses) control which has exceeded your defined thresholds.

Cheers, Mike

-- Michael McConnell WINK Streaming; email: michael@winkstreaming.com mailto:michael@winkstreaming.com phone: +1 312 281-5433 x 7400 cell: +506 8706-2389 skype: wink-michael web: http://winkstreaming.com http://winkstreaming.com/

On Dec 21, 2016, at 9:46 PM, rwrocket notifications@github.com wrote:

Attached my config file I finally got pfring port mirror workinf with influxdb + grafana + mikrotik script.

All seems to work pretty well, now I am just fine tuning attack detection. For the sake of testing I have taken my attack thresholds right down so I can test what happens in an attack. I find that visiting speedtest.net consistently creates an attack and puts MY IP on the ban list.

My question is, is this normal? I expected maybe the external IPs outside my network would be banned and not my IP address that is inside the subnets in my networks_list.

Is this because when using speedtest.net the outside connections come from multiple IPs but the destination is just one IP on my side?

I wonder if there is a way to ban the DDoSers and not the DDoSed in an attack?

Ubuntu 14.04 latest fastnetmon release pfring Attacked attack log emails and fastnetmon.conf ddos_attack2.zip https://github.com/pavel-odintsov/fastnetmon/files/667953/ddos_attack2.zip — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/619, or mute the thread https://github.com/notifications/unsubscribe-auth/AE8hYYyzPPomIZPBau94_Y3MRIPa8_jyks5rKfKogaJpZM4LTnSi.

[chasgames]

I got the same https://github.com/pavel-odintsov/fastnetmon/issues/606

I upped my thresholds and that solved it.

[pavel-odintsov]

So I'm closing ticket :)