On Sep 26, 2016, at 7:58 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka@isc.org> wrote:
Giving them real time access to the anomalous traffic log feed for their residence would also help. They or the specialist they bring in will be able to use that to trace back the problem.
wouldn't this work better as a standard bit of CPE software capability? wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE and kept for ~30mins (just guessing) in a circular buffer be 'good enough' to present a pretty clear UI to the user?
ip/mac/vendor sending (webtraffic|email|probes) to destination-name [checkbox] <repeat>
select those youd' like to block [clickhere]
This really doesn't seem hard, to present in a fairly straight forward manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something similar to this approach... but on the other hand: "At least my ISP isn't snooping on all my traffic"
The UBNT Edgerouter series has this. You can get fancy graphs and application breakdown. Scroll down and check the images: https://help.ubnt.com/hc/en-us/articles/204951104-EdgeMAX-Deep-Packet-Inspec... You can see the hosts that are doing traffic and the destinations. They even have a model that takes a SFP so you can use it as CPE for FTTH. - Jared