jbates at brightok.net
Sat Feb 5 01:04:01 CST 2011
On 2/4/2011 9:25 PM, George Bonser wrote:
> Maybe because it is just easier to do a transparent redirect to the ISPs
> mail server and look for patterns there.
Analyzing flows generally isn't any more difficult than analyzing mail
log patterns. It doesn't have the queue and check mechanism of a
transparent redirect, but transparent redirects break certain types of
mail connections as well. It is good practice for an ISP to run flow
analysis anyways to detect bad traffic patterns.
What I really want and haven't had time to write is a good procedure
that establishes dynamic policies for flow pattern matches which causes
the suspect packets to start tag switching to an analysis server where
it is closer examined before actual filters are updated.
I'd really like to see standards developed which router vendors
supported to make such dynamic policies easier to update, along with the
filters themselves. Perhaps we'll see it after more pressing IPv6
concerns are addressed.
More information about the NANOG