compromised machines and entire network health
Mark Bucciarelli
mark at gaiahost.coop
Thu Jul 13 16:29:02 UTC 2006
On Thu, Jul 13, 2006 at 11:56:50AM -0400, Arie Kachler wrote:
> Is there a solution to this? I know all computers should be
> kept up to date so this does not happen, but most times
> customers are not as attentive to patches as we sysadmins are.
> Assuming that there will always be machines with security
> issues, is there a way to prevent a compromised computer to
> bring down an entire network?
We had a similar issue with a box who's network card went
temporarily insane (we think). It's a colocated box, so I don't
know for sure.
I see two options:
(1) If you have root, you could use traffic shaping to limit
outgoing traffic volume. Put all customers in jails and
don't give them access to the jail host where pf lives.
(2) Monitor at the switch level and when a box goes crazy, shut
down that port.
We are going with option (2) (hence my recent query about smart
switches). I'm not sure how/if (1) could work properly.
I expect that we could automate (2) if we choose to.
--
Mark Bucciarelli
GAIA Host Collective, LLC
email: mark at gaiahost.coop
web: http://www.gaiahost.coop
-----------------------------------
~~~~~~~~~~~~~~~~
"Reliable internet solutions from an environmentally
and socially concerned worker collective"
~~~~~~~~~~~~~~~~
More information about the freebsd-isp
mailing list