For the past few weeks, we have been taking proactive steps in hardening our network against potential cyber attacks as well as closely examining traffic in the wake of the Ukrainian invasion by Russia and the advice from the White House to prepare ourselves for a state-sponsored mass-cyber attack. While we wouldn’t want to get into too much detail in what steps we’ve taken we will lay out a few.
Edge Firewall Improvements
We currently have employed a robust edge firewall system that allows us to create a custom rule-set for any traffic passing into our network or outside the network. In this, we’ve employed connection tracking to keep tabs on connections to ssh, telnet, and other control ports for our servers and our customer’s servers. For the next few months, we will be offering this service to everyone for free until this threat has passed and we will then continue to offer the service for a fee. This works by tracking new connections to a IP. We know a new connection on many of these control ports are login attempts so we can assume that each new connection is a brand new attempt. This allows us to stop brute force attacks at the firewall instead of relying on software applications at the server.
We’ve routed a few subnets into our data center’s failover circuit. In the event of a major DDOS attack, we can simply re-route outgoing packets through the failover circuit. This means a huge update in our network topology – an additional edge firewall device, and two additional routers to funnel the traffic through the data center.
IPMI Access is now restricted to VPN Access to our network only. From there you will be assigned a local private IP over a segmented VLAN which will be white listed allowing access to your server. This helps to harden a rather large vector for attack and helps to quarantine a compromised user account.
Broader Border Gate Access
We have been given more access to the Charter Border Gate Community allowing us to now route our own IP’s from the peer exchanges in DC and Atlanta, Georgia. This means that if we keep to plan, we can begin offload network traffic to a new data center in the near future 🙂 This also allows us to assign IP’s to black holes further up-stream where the pipes are bigger.
We are able to scrub 40Gbps of data, currently. If we experience a DDOS any bigger than about 30Gbps, everyone will notice and at 40Gbps, websites start to go offline. We’ve therefor enlisted the service of a Data Center in Georgia to act as a backup scrubber on our failover connection and they are capable of scrubbing more than 800Gbps of data. The problem is latency. Consistently running our routes through this Data Center increases that latency by about 22 milliseconds and being as we have a failover connection with broad border gate access, we can afford to keep this service on the back burner until it’s needed.
We have deployed 4 new servers for Kubernetes Clusters. We are still in the testing phase of this deployment and we are looking for testers, but this can be a way in which we defeat any slowloris attacks. This also allows us to sell cloud processing giving customers access to over 500 CPU cores if they need it across several clustered servers.
Goldsboro Networks staff has moved away from SSH passwords and control panel passwords now in favor of 2048 bit keys for our logins. We do not store these keys on our PC’s or in the office. Instead each employee has now been issued a keychain thumb drive with their key installed. These keys update every 3 months. This almost guarantees our accounts to be impervious to brute force attacks.