Quarantine your infected users spreading malware

Bill Nash billn at odyssey.billn.net
Wed Mar 1 15:25:18 UTC 2006

On Wed, 1 Mar 2006, David Nolan wrote:

>> Yeah, but it's not near as fun as dynamic acls updated via a script
>> monitoring flow logs in real-time. It's definitely easier to implement,
>> though.
> Interesting...  Thats actually basically what we were doing before, but 
> phased out in favor of the URPF & host routes approach.  We felt the URPF 
> approach was much cleaner, and more efficient.  A routing table lookup is 
> more efficient then a acl processing, particulary if you have significant 
> numbers of rou and solved some problems we were having.  It also solved some 
> issues we had, including keeping dynamic acls synchronized betwen two 
> redundant routers (HSRP pairs and/or redundant border routers).

I think when he said fun, he meant 'masochistic and nerve wracking, in a 
vaguely entertaining because we have scripts issuing and removing ACLs 
from our routing core kind of way.' I've built reactive firewalls before, 
but even I'd be leery of a reactive ACL implementation. /32 null route 
injection is far far easier to manage. =)

- billn

More information about the NANOG mailing list