EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Nathan Ward nanog at daork.net
Mon Jun 23 01:24:55 CDT 2008


On 23/06/2008, at 6:14 PM, Stephen Satchell wrote:
> PHP, Perl, Python all provide the ability to generate Socket  
> connections via TCP and UDP.  At the Web hosting company I used to  
> work at, they ran a "mostly open" policy when it came to outbound  
> connections.  This was particularly true of co-located-equipment and  
> leased-equipment customers, much more so than the shared-equipment  
> accounts.
>
> When I monitored traffic, I found that the most common port for  
> outgoing TCP connections was on port 80.  Investigation of TCP  
> port-22 outbound traffic showed that most of that traffic was SCP  
> and tunneled RSYNC traffic to single locations.
>
> We found our share of bad apples, such as the the guy who set up a  
> tunnel between a leased server and his location in Texas, for the  
> purpose of running a spammer Web site with the payload coming to the  
> Web host's IP addresses instead of the spammer operators' addresses.
>
> Of more interest to me, though, was the monitoring of traffic on our  
> currently unallocated IP addresses; *lots* of woodpeckering on a  
> wide variety of ports.  The reason I originally set up a server that  
> would accept packets from all currently-unused IP addresses was to  
> minimize the ARP flooding that occurred when someone would hammer on  
> an IP address that wasn't in use.  Once that was in place, it was a  
> trivial matter to monitor abusive traffic and add to the local  
> access control list as necessary when requests to the network  
> operators of the source of abusive traffic would not take steps to  
> remove the people who were not RFC 1855-compliant.
>
> The default server's logs proved to be an excellent way for us to  
> detect compromised on-site dedicated servers, particularly those  
> servers infected with mal-ware designed to "probe the immediate  
> neighborhood" first.


Yep, darknets are a common way to detect that sort of thing, there's  
quite a few papers on them.

I'd be pretty worried if my colo provider was limiting what I could do  
- but it seems silly to let your average web hosting customer (i.e.  
$10/mo php+mysql service) open outgoing TCP sessions to ports other  
than 80 and 443. I'm sure there are exceptions to the rule, and they  
should be exactly that - exceptions.

--
Nathan Ward








More information about the NANOG mailing list