From owner-freebsd-isp@FreeBSD.ORG  Thu Jul 13 18:11:47 2006
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7E7A316A510
	for <freebsd-isp@freebsd.org>; Thu, 13 Jul 2006 18:11:47 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 95D8A43D5C
	for <freebsd-isp@freebsd.org>; Thu, 13 Jul 2006 18:11:46 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id E02B05E20;
	Thu, 13 Jul 2006 14:11:45 -0400 (EDT)
X-Virus-Scanned: amavisd-new at codefab.com
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vSZgXNUtHoDw; Thu, 13 Jul 2006 14:11:45 -0400 (EDT)
Received: from [192.168.1.251] (pool-68-161-117-245.ny325.east.verizon.net
	[68.161.117.245])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pi.codefab.com (Postfix) with ESMTP id B79115C35;
	Thu, 13 Jul 2006 14:11:44 -0400 (EDT)
Message-ID: <44B68CD4.8050701@mac.com>
Date: Thu, 13 Jul 2006 14:11:32 -0400
From: Chuck Swiger <cswiger@mac.com>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: akachler@telcom.net
References: <44B66D42.6030302@telcom.net>
In-Reply-To: <44B66D42.6030302@telcom.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-isp@freebsd.org
Subject: Re: compromised machines and entire network health
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2006 18:11:47 -0000

Arie Kachler wrote:
> In the past several years, we have had a few incidents of servers of 
> customers that are compromised and then flood our entire network and 
> bring down almost everything. The sql slammer worm for example.
> 
> Is there a solution to this?

Several.  Egress filtering on your routers with logging to identify infected 
machines sooner rather than later is probably the single most useful thing you 
could do.

You could also set up a honeynet or teergrube which will slow down worms and 
reduce their rate of spread.

More complicated solutions involve bandwidth shaping via dummynet or ALTQ, etc.

-- 
-Chuck