[openstack-dev] [neutron] Neutron API rate limiting
Chris Friesen
chris.friesen at windriver.com
Mon May 18 21:01:01 UTC 2015
On 05/18/2015 09:54 AM, Rick Jones wrote:
> On 05/15/2015 08:32 PM, Gal Sagie wrote:
>> What i was describing in [2] is different, maybe the name "rate-limit"
>> is wrong here and what we are doing is more of
>> a "brute force prevention" .
>> We are trying to solve common scenarios for east-west security attack
>> vectors, for example a common vector is a compromised
>> VM trying to port scan the network.
>
> Interestingly enough, what I've come across mostly (virtually entirely) has been
> compromised instances being used in sending spewage out onto the Big Bad
> Internet (tm).
>
> One thing I was thinking about to detect such instances was simply looking at
> the ratio of inbound and outbound traffic on the instances' tap device(s). Once
> it crossed a certain threshold declare the instance suspect and in need of
> further scrutiny.
Wouldn't that also catch things like streaming audio/video servers which would
be mostly outbound traffic?
Chris
More information about the OpenStack-dev
mailing list