This KB covers what behavior customers can expect from CenturyLink Cloud Operations in the case of a Security Incident.
- CenturyLink Cloud Customers
"A server in CenturyLink Cloud's public cloud is being scanned"
- This is a very common situation and statistically, this will happen to any server exposed on the Internet at least once every 72 hours. The majority of these scans are throttled in order to avoid detection. As such this will not trigger alarms, and CenturyLink Cloud engineers will not be aware of the attack.
"A server in CenturyLink Cloud's public cloud is being attacked"
- Low-volume attack: The majority of attacks are throttled in order to avoid detection and to leverage a server exploit. As such this will not trigger any any alarm and therefore the CenturyLink Cloud Operations will not be aware of the attack.
- High-volume attack (DDoS): These types of attacks are designed to overwhelm the capabilities of the server. If the volume of the attack is high enough, it will will be detected by CenturyLink Cloud's monitoring infrastruture and CenturyLink Cloud's support engineering staff will initiate a Security Incident. In the majority of cases, the #1 priority is to mitigate the attack and therefore it is possible that the mitigation might require that we disable the offending server(s). The CenturyLink Cloud support team will open a ticket to the account administrators, identified in Control.
"Someone has filed an abuse complaint"
- The CenturyLink Cloud support team will initiate a Security Incident and open a ticket against the server(s) identified in the report, submitted to account administrators. They are notified via email.
- CenturyLink Cloud is contractually bound to ensure that these complaints are investigated. If server administrators do not investigate this report within an expected timeframe, it may be necessary for us to suspend operation of the server.
"What does the CenturyLink Cloud support team do during a Security Incident?"
- Notify our Security team about the incident.
- Assess the validity of security reports and other signals being receivied. If the support team has access to the affected devices, such as our cloud infrastructure or a Managed server, we will investigate it.
- If we do not have access to the server, the team will open a ticket in the CenturyLink Cloud ticketing system with all of the account administrators of that server on the ticket. The customer will be asked to take prompt action by investigating the issue.
- In cases where the Security Incident is determined to be adversely impacting other customers, our engineers will take immediate steps to mitigate the situation and verify that service is fully restored to normal operating status.