News: Network Security Update: Enhanced Threat Blocking at the Edge

We're continuously investing in the security of our network infrastructure to ensure your services stay protected from the growing volume of internet-based threats. Here's a look at the latest improvements we've made to keep malicious traffic away from your servers and services.

Hardware-Level Threat Blocking at the Network Edge

We've deployed advanced access control lists (ACLs) directly on our edge routers at both of our facilities. These aren't software firewalls that consume CPU resources - they operate at the hardware level within the network switch chips, dropping malicious traffic before it ever reaches the routing layer. This means:

• Zero performance impact - blocking happens in silicon at line rate, with no effect on your traffic
• Coverage across all upstream paths - every internet-facing link is protected, including redundant paths
• Large capacity - our edge hardware supports thousands of blocking rules per device, giving us plenty of room to respond to new threats as they emerge

Known botnet command-and-control networks, persistent vulnerability scanners, and brute-force attack sources are identified and blocked at the network perimeter. When our systems detect a high-volume scanner or attack source targeting customer infrastructure, we add it to the hardware blocklist across all edge devices. The traffic is silently dropped before it reaches your server.

Daily Health Reports with Threat Intelligence

Our network operations team reviews automated Daily Health Reports that incorporate data from multiple sources:

• Spamhaus blocklists - we monitor whether any of our IP ranges appear on the Spamhaus Block List (SBL), Exploits Block List (XBL), or Policy Block List (PBL). If a listing is detected, we investigate and take action to resolve it promptly.
• Traffic flow analysis - we monitor traffic patterns across the network to identify anomalies such as DDoS attacks, unusual traffic spikes, or scanning activity targeting customer services
• BGP route health - we verify that our internet routing is clean and that no unauthorized or malicious route announcements are affecting reachability to your services
• Inbound prefix filtering - our edge routers reject traffic from reserved and bogus IP address ranges (as defined by the IANA Special-Purpose Address Registry), preventing spoofed traffic from entering the network

Multi-Layer Monitoring

Beyond the hardware-level blocking, our infrastructure is monitored around the clock by multiple independent systems:

• Real-time alerting on all critical network links, BGP sessions, and inter-site connectivity
• Centralized syslog analysis for detecting unusual events across all network devices
• Configuration version control - every change to our network devices is tracked and auditable

What This Means for You

No action is required on your part. These protections are applied automatically at the network level for all customers. Whether you're running a hosted server, using our internet services, or operating any other internet-facing infrastructure through our network, you benefit from these protections automatically.

If you're experiencing issues with unwanted traffic or suspect your services are being targeted, don't hesitate to reach out. We can investigate using our traffic analysis tools and, where appropriate, add targeted blocks to protect your specific services.