EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)
Tomas L. Byrnes
tomb at byrneit.net
Mon Jun 23 17:13:20 UTC 2008
Just because something doesn't solve all your problems doesn't mean it
has no value. Anything that can reduce the amount of inspection you have
to do @ content, and filters out the gross cruft, buys you additional
network and systems capacity, using what you have now (firewall, mail
relay). This is a good thing in a real-world network, and goes straight
to the bottom line in reduced opex and capex.
The process of detecting and blocking bad actors, for networks that have
to allow access to/from anywhere, is better than doing nothing.
Marcus also likes to light hay bales on fire. Methinks for the same
reason he makes inflammatory statements: It gets people talking and
thinking, which is a good thing.
> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
> Sent: Monday, June 23, 2008 9:55 AM
> To: William Herrin
> Cc: Paul Vixie; nanog at merit.edu
> Subject: Re: EC2 and GAE means end of ip address reputation
> industry? (Re:Intrustion attempts from Amazon EC2 IPs)
>
> On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:
>
> > Concur. From an address-reputation perspective EC2 is no different
> > than, say, China. Connections from China start life much
> closer to my
> > filtering threshold that connections from Europe because a
> far lower
> > percentage of the connections from China are legitimate.
> EC2 will get
> > the same treatment. As that starts to impact Amazon's ability to
> > maintain and grow the service, they'll do something about
> it. Or let
> > it wither. Either way, address reputation solves my problem.
>
> No, it only solves your problem *if* you can compute a
> trustable reputation for each address. For instance,
> "connections from China" loses if another /12 shows up in the
> routing table and isn't correctly tagged as "China". And
> this fails the other way too - I remember a *lot* of
> providers were blocking a /8 or so because it was "China",
> and didn't know that a chunk of that /8 was in fact
> Australia. Similarly, you lose if EC2 deploys another /16
> and you don't pick up on it.
>
> There's a *reason* that Marcus Ranum listed "Trying to
> enumerate badness"
> as one of the 6 stupidest ideas in computer security....
>
>
More information about the NANOG
mailing list