[unisog] Blocking inbound Internet traffic

Arnold, Jamie harnold at binghamton.edu
Fri May 9 18:20:50 GMT 2003


That's where our packetshaper comes in.  We don't rate limit by traffic
class, rather using a QOS type strategy.  The ports that get shut down are
extreme offendors (slammer, etc) 


-----Original Message-----
From: Johan M. Andersen [mailto:johan at columbia.edu] 
Sent: Friday, May 09, 2003 9:01 AM
To: Arnold, Jamie
Cc: unisog at sans.org

> We're doing something similar in that we shut down the port of the
offender.
> This triggers another process that then pages us to alert that the 
> port is down.  I like the idea of not shutting the port down and 
> instead rate limiting it.

On average, we have between 60 and 80 IP's rate limited at a time. I'd
prefer not to be paged that much :) Another plus is that while a person is
in the penalty box, their average internet use (ie, browsing the web,
reading email) is relatively unimpeded (when testing with our own
workstations, there were no ill effects unless you tried to do something
like send a big attaachment through yahoo, or similar)

/johan



More information about the unisog mailing list