[89028] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (David Nolan)
Wed Mar 1 09:51:03 2006
Date: Wed, 01 Mar 2006 09:50:34 -0500
From: David Nolan <vitroth+@cmu.edu>
To: nanog@merit.edu
In-Reply-To: <4405A789.1070903@brightok.net>
Errors-To: owner-nanog@merit.edu
--On Wednesday, March 01, 2006 07:54:17 -0600 Jack Bates
<jbates@brightok.net> wrote:
> David Nolan wrote:
> <snip>
>>
>> (*): For anyone who doesn't know, URPF is essentially a way to do
>> automatic acls, comparing the source IP of on an incoming packet to the
>> routing table to verify the packet should have come from this
>> interface. With the right hardware this is significantly cheaper then
>> acl processing. And its certainly easier to maintain. And by injecting
>> a /32 null route into the route table you can cause a host's local
>> router to start discarding all traffic from that IP.
>>
> <snip sig>
>
> Yeah, but it's not near as fun as dynamic acls updated via a script
> monitoring flow logs in real-time. It's definitely easier to implement,
> though.
Interesting... Thats actually basically what we were doing before, but
phased out in favor of the URPF & host routes approach. We felt the URPF
approach was much cleaner, and more efficient. A routing table lookup is
more efficient then a acl processing, particulary if you have significant
numbers of rou and solved some problems we were having. It also solved
some issues we had, including keeping dynamic acls synchronized betwen two
redundant routers (HSRP pairs and/or redundant border routers).
-David
