On 2017-10-26 22:26:59 -0400 (-0400), Mohammed Naser wrote: [...] > The use-case for us is that it helps us easily identify or find VMs which > we get any abuse reports for (or anything we see malicious traffic going > to/from). We usually search for an *exact* match of the IP address as we > are simply trying to perform a lookup of instance ID based on the IP > address. Regex matching isn't important in our case. [...]
Does it allow you to identify which instance had that IP address over a specific timeframe? One problem we encounter is that we get abuse reports forwarded from our service providers telling us that our instance with some particular IP address was performing port scans or participating in a denial of service attack, and invariably when we check our logs we did not have an instance with that IP address at the timeframe indicated by the original abuse reporter (we had an instance with that IP address at some point for an hour or two maybe, but not until days later when the abuse team went checking to see who was responsible, and yet they tend to just assume everyone has long-lived instances and that IP addresses don't bounce around from tenant to tenant with great frequency). It seems like OpenStack could generally benefit from a mechanism for correlating abuse complaints to specific instances/tenants in a way that allows performing time-based lookups as well. Compute instances are ephemeral, so treating abuse complaints the same as you would in a dedicated hosting environment doesn't really work so well. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
