Quarantine your infected users spreading malware

Jack Bates jbates at brightok.net
Wed Mar 1 13:54:17 UTC 2006



David Nolan wrote:
<snip>
> 
> (*): For anyone who doesn't know, URPF is essentially a way to do 
> automatic acls, comparing the source IP of on an incoming packet to the 
> routing table to verify the packet should have come from this 
> interface.  With the right hardware this is significantly cheaper then 
> acl processing.  And its certainly easier to maintain.  And by injecting 
> a /32 null route into the route table you can cause a host's local 
> router to start discarding all traffic from that IP.
> 
<snip sig>

Yeah, but it's not near as fun as dynamic acls updated via a script 
monitoring flow logs in real-time. It's definitely easier to implement, 
though.

For people utilizing RBE/dhcp combo on Cisco routers, it is also 
possible to just remove the /32 route that was dynamically created which 
will kill traffic until the customer requests dhcp again, which will by 
that time place them in the quarantine. One advantage to temp route 
removal is that it requires no cleanup. Just make sure you don't wipe 
out your permanent static routes.

-Jack



More information about the NANOG mailing list