From owner-freebsd-isp@FreeBSD.ORG  Thu Jul 13 16:37:40 2006
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C51E16A4E0
	for <freebsd-isp@freebsd.org>; Thu, 13 Jul 2006 16:37:40 +0000 (UTC)
	(envelope-from gary@tbe.net)
Received: from kerplunk.tbe.net (kerplunk.tbe.net [209.123.115.134])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DE79543D70
	for <freebsd-isp@freebsd.org>; Thu, 13 Jul 2006 16:37:39 +0000 (GMT)
	(envelope-from gary@tbe.net)
Received: by kerplunk.tbe.net (Postfix, from userid 1001)
	id 183BD5CAF; Thu, 13 Jul 2006 12:33:18 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by kerplunk.tbe.net (Postfix) with ESMTP id 0E4205CAD;
	Thu, 13 Jul 2006 12:33:18 -0400 (EDT)
Date: Thu, 13 Jul 2006 12:33:17 -0400 (EDT)
From: "Gary D. Margiotta" <gary@tbe.net>
To: Mark Bucciarelli <mark@gaiahost.coop>
In-Reply-To: <20060713162858.GC3508@rabbit>
Message-ID: <20060713122922.L63493@kerplunk.tbe.net>
References: <44B66D42.6030302@telcom.net> <20060713162858.GC3508@rabbit>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-isp@freebsd.org, Arie Kachler <akachler@telcom.net>
Subject: Re: compromised machines and entire network health
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2006 16:37:40 -0000

> I see two options:
>
> (1) If you have root, you could use traffic shaping to limit
>    outgoing traffic volume.  Put all customers in jails and
>    don't give them access to the jail host where pf lives.
>
> (2) Monitor at the switch level and when a box goes crazy, shut
>    down that port.
>
> We are going with option (2) (hence my recent query about smart
> switches).  I'm not sure how/if (1) could work properly.
>
> I expect that we could automate (2) if we choose to.

Problem with #1 is if the machines are not FreeBSD... if a machine is 
getting wormed, it's most likely a Windoze box.

You'd have to take a network-level approach in that case, which is where 
smart switches come into play.  Anything that has a host O/S on it 
(accessible via telnet or even web interface) should be able to do what 
you need to traffic shape, or shutdown singular ports if you need.  We 
have Intel series switches which do this, as well as Cisco and other 
major-vendor switches.  You'll pay more for them, but with that cost comes 
platform-agnostic tools to help manage the network and it's problems, 
abstracting the O/S from the picture.

-Gary