EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jun 23 11:55:03 CDT 2008


On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:

> Concur. From an address-reputation perspective EC2 is no different
> than, say, China. Connections from China start life much closer to my
> filtering threshold that connections from Europe because a far lower
> percentage of the connections from China are legitimate. EC2 will get
> the same treatment. As that starts to impact Amazon's ability to
> maintain and grow the service, they'll do something about it. Or let
> it wither. Either way, address reputation solves my problem.

No, it only solves your problem *if* you can compute a trustable reputation for
each address.  For instance, "connections from China" loses if another /12
shows up in the routing table and isn't correctly tagged as "China".  And
this fails the other way too - I remember a *lot* of providers were blocking
a /8 or so because it was "China", and didn't know that a chunk of that /8
was in fact Australia.  Similarly, you lose if EC2 deploys another /16 and
you don't pick up on it.

There's a *reason* that Marcus Ranum listed "Trying to enumerate badness"
as one of the 6 stupidest ideas in computer security....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080623/ee20ce3d/attachment.bin>


More information about the NANOG mailing list