compromised machines and entire network health
Gary D. Margiotta
gary at tbe.net
Thu Jul 13 16:37:40 UTC 2006
> I see two options:
>
> (1) If you have root, you could use traffic shaping to limit
> outgoing traffic volume. Put all customers in jails and
> don't give them access to the jail host where pf lives.
>
> (2) Monitor at the switch level and when a box goes crazy, shut
> down that port.
>
> We are going with option (2) (hence my recent query about smart
> switches). I'm not sure how/if (1) could work properly.
>
> I expect that we could automate (2) if we choose to.
Problem with #1 is if the machines are not FreeBSD... if a machine is
getting wormed, it's most likely a Windoze box.
You'd have to take a network-level approach in that case, which is where
smart switches come into play. Anything that has a host O/S on it
(accessible via telnet or even web interface) should be able to do what
you need to traffic shape, or shutdown singular ports if you need. We
have Intel series switches which do this, as well as Cisco and other
major-vendor switches. You'll pay more for them, but with that cost comes
platform-agnostic tools to help manage the network and it's problems,
abstracting the O/S from the picture.
-Gary
More information about the freebsd-isp
mailing list