I wanted to re-do the test tomorrow at 7h/8h am in order to
validate a setting. It is obvious that there is big differences
in the settings between the night and day
and all in all we should make the R&D during the day :(
Comment by OVH - Wednesday, 02 June 2010, 15:17PM
We have changed the settings again.
Both of the two levels were set up.
Comment by OVH - Friday, 04 June 2010, 17:52PM
We will reduce the burst. So strengthen
protections. We have hugely scans on the
network at the level of the port 23 (telnet).
Comment by OVH - Friday, 04 June 2010, 17:52PM
done
Comment by OVH - Friday, 04 June 2010, 17:54PM
More than 1000 external IP blocked in telnet on 1200.
Normally we run at 200-300 max on the 6 hours.
Comment by OVH - Thursday, 08 July 2010, 16:50PM
We refine the adjustments against SYN flood.
Comment by OVH - Friday, 30 July 2010, 05:31AM
We have switched the IP blocking which scan on other infra in order to aspire this "bad" traffic and analyse it. This is going to allow us to have more logs and especially to know when the scan is accomplished. And if the scan is not accomplished, IP is kept blocked.
We could provide a site with the IP blocked list as well as scan logs then aggregate these logs on the network and AS in order to determine AS which are hazardous.
+ ICMP
Done.
We have removed SYN. We leave ICMP.
I wanted to re-do the test tomorrow at 7h/8h am in order to
validate a setting. It is obvious that there is big differences
in the settings between the night and day
and all in all we should make the R&D during the day :(
We have changed the settings again.
Both of the two levels were set up.
We will reduce the burst. So strengthen
protections. We have hugely scans on the
network at the level of the port 23 (telnet).
done
More than 1000 external IP blocked in telnet on 1200.
Normally we run at 200-300 max on the 6 hours.
We refine the adjustments against SYN flood.
We have switched the IP blocking which scan on other infra in order to aspire this "bad" traffic and analyse it. This is going to allow us to have more logs and especially to know when the scan is accomplished. And if the scan is not accomplished, IP is kept blocked.
We could provide a site with the IP blocked list as well as scan logs then aggregate these logs on the network and AS in order to determine AS which are hazardous.