On 05/18/2015 09:54 AM, Rick Jones wrote:
On 05/15/2015 08:32 PM, Gal Sagie wrote:
What i was describing in [2] is different, maybe the name "rate-limit"
is wrong here and what we are doing is more of
a "brute force prevention" .
We are trying to solve common scenarios for east-west security attack
vectors, for example a common vector is a compromised
VM trying to port scan the network.
Interestingly enough, what I've come across mostly (virtually entirely) has been
compromised instances being used in sending spewage out onto the Big Bad
Internet (tm).
One thing I was thinking about to detect such instances was simply looking at
the ratio of inbound and outbound traffic on the instances' tap device(s). Once
it crossed a certain threshold declare the instance suspect and in need of
further scrutiny.
Wouldn't that also catch things like streaming audio/video servers which would
be mostly outbound traffic?
Chris
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
