taiko
06-08-2008, 13:32
Good morning,
On the network, it can detect up to 60 scans every 5 minutes.
The scans are performed by servers or PC hackés to research
new victims. These PC scan anything and everything in all
the senses. Our network is also scanned. Sometimes servers at Ovh
are used to scan.
3 years ago, we established the detection by scans
servers hosted by Ovh. This means that when a server hosting
In Ovh was used to scan, we were able to detect and arrested
scanning / server.
We have 2 detections systems. On the one hand, we have placed
probes (false servers) who listen to the network. Traffic to the
probes is by definition zero. And so if someone launches a connection
to the probe, by definition it is a scan. On the other hand, routers
send logs of traffic on our network (ongoing) on servers
which would examine (every 5 minutes). This means all packets
passing through our network are logged (!) and then analyze every 5
minutes (!!!). This represents a lot of data. Several servers
working on this task. We developed scripts that allow
detect suspicious behavior such as scan, attacks, spoof, and
all types of abuse and then our alert system allows the administrator
network to be aware of these problems. Then they intervene.
In 3 years, the problem has become broader. We had to improve these
2 systems. Car outside security on our own network, we
had to set up the detection of scans from outside. This
has been done there is about 3 months. The scan is automatically blocked
for 6 hours. Then if it again, again it is blocked. Thanks
these protections, our network is much safer than in the past,
since self protected against the scans from outside.
Since 1 week, we introduced a wider system who knows
analyse all the scans on all ports. This means that if a
IP on the Internet scans at the same time a little different ports at once,
we find now, whereas before the trigger does
not permitted. We grew from a 60-80 deadlock at the same 290-350
weather.
On our network it is "clean" for 2 weeks. The detections
scans on port SSH, FTP, WEB, POP3 work perfectly well.
With the improvement of the system, since 1 week we have a lot more
information. Through these detection scans, we closed
all servers hackers who have since ordered servers
1-3 months (and which have generated enormous unpaid at Ovh). Example:
3 days since we closed 64 servers available in 1-3 months
by these hackers. The last recorded scan was done this morning at 4:34.
It is believed that there is still a 10ène servers to close.
Also, we still have the last 30 servers that scan the network.
These are old customers who have servers for several months / years.
It is looking at each case quietly with them.
We believe that our network will be "VERY clean" in about 1 week.
If there is a clean network, I postulates with Ovh
With improved detection scans, we were able to detect
servers that were hackés and send spam. From a coup server
connects to dramatically SMTP ports and can be seen. It is in the process
to see case by case basis if it generates false positives. But this
detection will enable us to block all servers used to
spammer 5 minutes after the start of spam and therefore before the evil is
does.
It will prove logs to the support that our network is not unique ...
Yours
Octave
On the network, it can detect up to 60 scans every 5 minutes.
The scans are performed by servers or PC hackés to research
new victims. These PC scan anything and everything in all
the senses. Our network is also scanned. Sometimes servers at Ovh
are used to scan.
3 years ago, we established the detection by scans
servers hosted by Ovh. This means that when a server hosting
In Ovh was used to scan, we were able to detect and arrested
scanning / server.
We have 2 detections systems. On the one hand, we have placed
probes (false servers) who listen to the network. Traffic to the
probes is by definition zero. And so if someone launches a connection
to the probe, by definition it is a scan. On the other hand, routers
send logs of traffic on our network (ongoing) on servers
which would examine (every 5 minutes). This means all packets
passing through our network are logged (!) and then analyze every 5
minutes (!!!). This represents a lot of data. Several servers
working on this task. We developed scripts that allow
detect suspicious behavior such as scan, attacks, spoof, and
all types of abuse and then our alert system allows the administrator
network to be aware of these problems. Then they intervene.
In 3 years, the problem has become broader. We had to improve these
2 systems. Car outside security on our own network, we
had to set up the detection of scans from outside. This
has been done there is about 3 months. The scan is automatically blocked
for 6 hours. Then if it again, again it is blocked. Thanks
these protections, our network is much safer than in the past,
since self protected against the scans from outside.
Since 1 week, we introduced a wider system who knows
analyse all the scans on all ports. This means that if a
IP on the Internet scans at the same time a little different ports at once,
we find now, whereas before the trigger does
not permitted. We grew from a 60-80 deadlock at the same 290-350
weather.
On our network it is "clean" for 2 weeks. The detections
scans on port SSH, FTP, WEB, POP3 work perfectly well.
With the improvement of the system, since 1 week we have a lot more
information. Through these detection scans, we closed
all servers hackers who have since ordered servers
1-3 months (and which have generated enormous unpaid at Ovh). Example:
3 days since we closed 64 servers available in 1-3 months
by these hackers. The last recorded scan was done this morning at 4:34.
It is believed that there is still a 10ène servers to close.
Also, we still have the last 30 servers that scan the network.
These are old customers who have servers for several months / years.
It is looking at each case quietly with them.
We believe that our network will be "VERY clean" in about 1 week.
If there is a clean network, I postulates with Ovh
With improved detection scans, we were able to detect
servers that were hackés and send spam. From a coup server
connects to dramatically SMTP ports and can be seen. It is in the process
to see case by case basis if it generates false positives. But this
detection will enable us to block all servers used to
spammer 5 minutes after the start of spam and therefore before the evil is
does.
It will prove logs to the support that our network is not unique ...
Yours
Octave