User Tools

Site Tools


ids

Intrusion Detection System

What does an IDS do?

An Intrusion Detection System monitors a network, detecting malicious activity and blocking the bad attempts for a fixed period of time.

How much does this cost? Who built the platform?

Our IDS platform is included at no additional cost and protects our locations as a whole.

The platform itself was built in-house over the years.

What does it protect against?

The current revision of our platform best effort monitors for the following network wide activities:

The 'naughty' list
Activity Port Note
Daemons, etc
SSH account brute forcing 22 Common. 20+ blocks a day
FTP account brute forcing 21 Not very common. 1 - 5 blocks a day
NetBIOS exploits (Windows) 445 “God dammit Gates!”. 250+ a day
Mail Server brute forces 25, 110 Fairly common. 5+ a day
Abused protocols
NTP Amplification 123 Extremely common
DNS Amplification 53 Extremely common

Remember, this is is a best effort platform. Our IDS does not monitor for directed attacks (read: someone decides they want to brute you directly). We always recommend you change your SSH port when possible and always keep your applications up-to-date.

Can I be excluded from the IDS?

No.

Previously we used to allow users to opt-out but after countless people getting compromised after requesting such, we've revised this policy.

Does the IDS protect from bot spam?

Kind of. As of right now our IDS monitors for HTTP connections which will stop some bot spam.

We're currently considering importing stopformspam.com's blacklist into our IDS platform. If you wish to voice your opinion/concerns about this, just email admin@frantech.ca or log a ticket.

Does this IDS sniff my traffic?

For the most part, no.

Our IDS works off of a cluster of traps setup throughout our deployments. When one of them is tripped by exploit scanners, the offending IP is nullrouted for a set amount of time.

For NTP & DNS amplification, we monitor for specific packets at the node side and block them before they ever get to your virtual server.

We've publicly discussed, and shared, how we handle NTP amplification at https://vpsboard.com/topic/3564-howto-stop-ntp-amplification-attacks-from-reaching-your-nodes/.

ids.txt · Last modified: 2014/04/07 13:09 by Francisco Dias