oles@ovh.net
09-11-2008, 08:30 AM
Hello,
2 months ago, we strengthened detection of scans to and from our network.
The scans that we suffer (which come from the Internet) are detected after 5 minutes and automatically blocked for 6 hours. If, for example, a PC from Brazil scans port SSH or WWW, it is detected and blocked. If again, it is still released for 6 hours. If it does that again, it is blocked for 6 hours. If it occurs again, it is blocked for 6 more hours. In 2 months, we have noticed that:
- We detect between 700 and 1000 scans per day (a couple IP: PORT)
- In the range of 6 hours, there are between 150 and 300 blocked
- General scan lasts less than 24 hours
- There are about 40 who scan IP networks permanently and continue all the time. It is not administered network
- They are mainly scans to port 135, 139, 445, 1443 (Windows) and to a lesser extent port 21, 22, 23, 25, 80, 110
The scans that our system generates are also detected after 5 minutes. Then our network administrators get involved. We see a marked decrease in hazardous scans from our network. For example yesterday we detected only 6 scans and today there are only 2. In general, we detect about 10 scans a day. The decrease of scans is due to very strict policy in terms of security: if we detect 2 scans from a server in the space of 30 days, the contract is suspended. This is the case between 1 and 3 servers per day.
We still have a great site: spam out of our network. There are 2 types of spam:
- Professionals spammers who use our infrastructure to send a lot of emails. According to our statistics there are about 15/20 servers that such activity. These are very well managed servers with very reactive management of abuse. It is very difficult to prove spam without spending hours to collect the complaints, verify them, send a warning, then close the server. Multiple and repeated problems.
- A server with a security hole is hacked by a hacker (eg a poorly protected php script), which can generate outgoing emails. In
general, the server is blacklisted by the RBL lists in less than 4 hours.
In the both cases, we will tackle the problem soon. It seeks still a good method for detecting spam, collecting information, and alerts. There is no reason for us not finding the right method, that is simple to explain, to respect and that satisfies everybody. In any case, we are going to talk about it then will do some tests before developing the right method.
In short, we are on the right path but there is still work to do.
Regards,
Octave
2 months ago, we strengthened detection of scans to and from our network.
The scans that we suffer (which come from the Internet) are detected after 5 minutes and automatically blocked for 6 hours. If, for example, a PC from Brazil scans port SSH or WWW, it is detected and blocked. If again, it is still released for 6 hours. If it does that again, it is blocked for 6 hours. If it occurs again, it is blocked for 6 more hours. In 2 months, we have noticed that:
- We detect between 700 and 1000 scans per day (a couple IP: PORT)
- In the range of 6 hours, there are between 150 and 300 blocked
- General scan lasts less than 24 hours
- There are about 40 who scan IP networks permanently and continue all the time. It is not administered network
- They are mainly scans to port 135, 139, 445, 1443 (Windows) and to a lesser extent port 21, 22, 23, 25, 80, 110
The scans that our system generates are also detected after 5 minutes. Then our network administrators get involved. We see a marked decrease in hazardous scans from our network. For example yesterday we detected only 6 scans and today there are only 2. In general, we detect about 10 scans a day. The decrease of scans is due to very strict policy in terms of security: if we detect 2 scans from a server in the space of 30 days, the contract is suspended. This is the case between 1 and 3 servers per day.
We still have a great site: spam out of our network. There are 2 types of spam:
- Professionals spammers who use our infrastructure to send a lot of emails. According to our statistics there are about 15/20 servers that such activity. These are very well managed servers with very reactive management of abuse. It is very difficult to prove spam without spending hours to collect the complaints, verify them, send a warning, then close the server. Multiple and repeated problems.
- A server with a security hole is hacked by a hacker (eg a poorly protected php script), which can generate outgoing emails. In
general, the server is blacklisted by the RBL lists in less than 4 hours.
In the both cases, we will tackle the problem soon. It seeks still a good method for detecting spam, collecting information, and alerts. There is no reason for us not finding the right method, that is simple to explain, to respect and that satisfies everybody. In any case, we are going to talk about it then will do some tests before developing the right method.
In short, we are on the right path but there is still work to do.
Regards,
Octave