[openstack-dev] [neutron] Neutron API rate limiting
Rick Jones
rick.jones2 at hp.com
Mon May 18 21:33:05 UTC 2015
On 05/18/2015 02:01 PM, Chris Friesen wrote:
> On 05/18/2015 09:54 AM, Rick Jones wrote:
>> Interestingly enough, what I've come across mostly (virtually
>> entirely) has been compromised instances being used in sending
>> spewage out onto the Big Bad Internet (tm).
>>
>> One thing I was thinking about to detect such instances was simply
>> looking at the ratio of inbound and outbound traffic on the
>> instances' tap device(s). Once it crossed a certain threshold
>> declare the instance suspect and in need of further scrutiny.
>
> Wouldn't that also catch things like streaming audio/video servers which
> would be mostly outbound traffic?
It might catch those using UDP. In my not-completely-fleshed-out,
hand-waving scenario that would be part of the further scrutiny.
I guess I'm just hesitant to add more things on iptables, capable as it
might be. Using iptables means still needing the linux bridge with OVS
right? To implement the security groups in the first place. Seems
there are cases where the veth pair joining linux bridge to OVS can
re-order traffic :( http://www.spinics.net/lists/netdev/msg327867.html .
rick
More information about the OpenStack-dev
mailing list