quietly....

Jack Bates jbates at brightok.net
Sat Feb 5 01:04:01 CST 2011


On 2/4/2011 9:25 PM, George Bonser wrote:
> Maybe because it is just easier to do a transparent redirect to the ISPs
> mail server and look for patterns there.

Analyzing flows generally isn't any more difficult than analyzing mail 
log patterns. It doesn't have the queue and check mechanism of a 
transparent redirect, but transparent redirects break certain types of 
mail connections as well. It is good practice for an ISP to run flow 
analysis anyways to detect bad traffic patterns.

What I really want and haven't had time to write is a good procedure 
that establishes dynamic policies for flow pattern matches which causes 
the suspect packets to start tag switching to an analysis server where 
it is closer examined before actual filters are updated.

I'd really like to see standards developed which router vendors 
supported to make such dynamic policies easier to update, along with the 
filters themselves. Perhaps we'll see it after more pressing IPv6 
concerns are addressed.


Jack




More information about the NANOG mailing list