[openstack-dev] [nova][neutron] How do you use the instance IP filter?

Jeremy Stanley fungi at yuggoth.org
Fri Oct 27 16:48:46 UTC 2017

On 2017-10-26 22:26:59 -0400 (-0400), Mohammed Naser wrote:
> The use-case for us is that it helps us easily identify or find VMs which
> we get any abuse reports for (or anything we see malicious traffic going
> to/from).  We usually search for an *exact* match of the IP address as we
> are simply trying to perform a lookup of instance ID based on the IP
> address.  Regex matching isn't important in our case.

Does it allow you to identify which instance had that IP address
over a specific timeframe? One problem we encounter is that we get
abuse reports forwarded from our service providers telling us that
our instance with some particular IP address was performing port
scans or participating in a denial of service attack, and invariably
when we check our logs we did not have an instance with that IP
address at the timeframe indicated by the original abuse reporter
(we had an instance with that IP address at some point for an hour
or two maybe, but not until days later when the abuse team went
checking to see who was responsible, and yet they tend to just
assume everyone has long-lived instances and that IP addresses don't
bounce around from tenant to tenant with great frequency).

It seems like OpenStack could generally benefit from a mechanism for
correlating abuse complaints to specific instances/tenants in a way
that allows performing time-based lookups as well. Compute instances
are ephemeral, so treating abuse complaints the same as you would in
a dedicated hosting environment doesn't really work so well.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171027/7b4cae69/attachment.sig>

More information about the OpenStack-dev mailing list