From owner-freebsd-isp@FreeBSD.ORG Thu Jul 13 16:29:02 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4964016A4DD for ; Thu, 13 Jul 2006 16:29:02 +0000 (UTC) (envelope-from mark@gaiahost.coop) Received: from biodiesel.gaiahost.coop (biodiesel.gaiahost.coop [64.95.78.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE1B443D4C for ; Thu, 13 Jul 2006 16:29:01 +0000 (GMT) (envelope-from mark@gaiahost.coop) Received: from gaiahost.coop (host-64-65-195-19.spr.choiceone.net [::ffff:64.65.195.19]) (AUTH: LOGIN mark@hubcapconsulting.com) by biodiesel.gaiahost.coop with esmtp; Thu, 13 Jul 2006 12:28:58 -0400 id 00638054.44B674CA.00000BBC Received: by gaiahost.coop (sSMTP sendmail emulation); Thu, 13 Jul 2006 12:28:58 -0400 Date: Thu, 13 Jul 2006 12:28:58 -0400 From: Mark Bucciarelli To: Arie Kachler Message-ID: <20060713162858.GC3508@rabbit> Mail-Followup-To: Arie Kachler , freebsd-isp@freebsd.org References: <44B66D42.6030302@telcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <44B66D42.6030302@telcom.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: compromised machines and entire network health X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2006 16:29:02 -0000 On Thu, Jul 13, 2006 at 11:56:50AM -0400, Arie Kachler wrote: > Is there a solution to this? I know all computers should be > kept up to date so this does not happen, but most times > customers are not as attentive to patches as we sysadmins are. > Assuming that there will always be machines with security > issues, is there a way to prevent a compromised computer to > bring down an entire network? We had a similar issue with a box who's network card went temporarily insane (we think). It's a colocated box, so I don't know for sure. I see two options: (1) If you have root, you could use traffic shaping to limit outgoing traffic volume. Put all customers in jails and don't give them access to the jail host where pf lives. (2) Monitor at the switch level and when a box goes crazy, shut down that port. We are going with option (2) (hence my recent query about smart switches). I'm not sure how/if (1) could work properly. I expect that we could automate (2) if we choose to. -- Mark Bucciarelli GAIA Host Collective, LLC email: mark@gaiahost.coop web: http://www.gaiahost.coop ----------------------------------- ~~~~~~~~~~~~~~~~ "Reliable internet solutions from an environmentally and socially concerned worker collective" ~~~~~~~~~~~~~~~~