Network protection against abuse

Nowadays companies that provide their customers access to a VPS or a dedicated server where the user can exploit the machine to do illegal activities are fighting against this huge issue.

The most common things for illegal activities taking place nowadays are SSH scanning, DoS attacks, Mail spamming, Port scanning and much more others, my task was to at least try to defend the company against this type of activities outgoing from their network so we can evade the abuse messages they are getting from multiple honeypots or automatic reports systems.

After thinking a while I went to work with some simple solutions to block those outgoing packets before exiting their network, I will discuss below my choosen methods to block some of the illegal activities.

SSH scanning - For this category it's pretty simple, the user's machine will send a lot of packets outgoing to the destination port 22 (SSH) where they will try to guess the target's passwords while using a dictionary with common passwords and usernames, we can block partially by rate limiting the outgoing packets to the destination port 22 but since this wasn't a complete fix for this issue I've also implemented a notification trigger that will notify the staff when this happens.

DoS attacks outgoing - Here things are getting much more complex since DoS attacks can't really be detected because the methods used to send the attack may vary, but I've implemented some cool algorithms to detect high PPS outgoing from the network when the payload of the packet repeats itself and much more complicated things, since this is not a perfect fix it will just notify the staff that something unusual may be happening on their network.

Mail spamming - To fix this issue I've implemented a Proxmox Mail Gateway inside the network to filter all outgoing e-mails automatically and with the help of this software I've managed to fix this issue.

Port scanning - Port scanning can be detected by the incrementing destination port for the outgoing packets, that's what I've done to detect it and notify the company team.

These issues weren't fixed accurately but it's something better than nothing. :)