IDS Blocks - Strategy
Idea shared by SmarterUser - June 11, 2015 at 11:09 PM
Just a suggestion for other admins based on behavior I'm seeing, primarily with Brute Force Password attempts.  If you have configured your IDS blocks to only detect attempts over a short interval, you should consider also configuring much longer intervals.  We know the hackers often change to a different IP when they get blocked, but I am often seeing situations where they also decrease their attempt rate to try to avoid detection.  I see where an IP is blocked with some number of attempts in a 10 minute period, and then the next sequential IP gets blocked with the same number of attempts in a 120 minute period.  If you only have short durations configured, you won't catch these attempts.
What I have done, just to verify the behavior, is to take what I consider my max number of allowable attempts, say 20, and configure it for 10 minutes, 30 minutes, 60 minutes, 120 minutes, 240 minutes, and 480 minutes.  You will block some additional attempts this way.  Not a lot, but some.  Now if we can just get the blocks to survive restarts.  

1 Reply

Reply to Thread
SmarterUser Replied
June 14, 2015 at 2:00 AM
Just a update on this.  I have been catching a number of attempts up to 20 tries in 240 minutes, so the hackers are definitely decreasing their velocity in response to being blocked.  If you're relying only on short intervals, you're leaving yourself open.

Reply to Thread