On 05/18/2015 02:01 PM, Chris Friesen wrote:
On 05/18/2015 09:54 AM, Rick Jones wrote:
Interestingly enough, what I've come across mostly (virtually
entirely) has been compromised instances being used in sending
spewage out onto the Big Bad Internet (tm).
One thing I was thinking about to detect such instances was simply
looking at the ratio of inbound and outbound traffic on the
instances' tap device(s). Once it crossed a certain threshold
declare the instance suspect and in need of further scrutiny.
Wouldn't that also catch things like streaming audio/video servers which
would be mostly outbound traffic?
It might catch those using UDP. In my not-completely-fleshed-out,
hand-waving scenario that would be part of the further scrutiny.
I guess I'm just hesitant to add more things on iptables, capable as it
might be. Using iptables means still needing the linux bridge with OVS
right? To implement the security groups in the first place. Seems
there are cases where the veth pair joining linux bridge to OVS can
re-order traffic :( http://www.spinics.net/lists/netdev/msg327867.html .
rick
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
