EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
Nathan Ward
nanog at daork.net
Mon Jun 23 06:24:55 UTC 2008
On 23/06/2008, at 6:14 PM, Stephen Satchell wrote:
> PHP, Perl, Python all provide the ability to generate Socket
> connections via TCP and UDP. At the Web hosting company I used to
> work at, they ran a "mostly open" policy when it came to outbound
> connections. This was particularly true of co-located-equipment and
> leased-equipment customers, much more so than the shared-equipment
> accounts.
>
> When I monitored traffic, I found that the most common port for
> outgoing TCP connections was on port 80. Investigation of TCP
> port-22 outbound traffic showed that most of that traffic was SCP
> and tunneled RSYNC traffic to single locations.
>
> We found our share of bad apples, such as the the guy who set up a
> tunnel between a leased server and his location in Texas, for the
> purpose of running a spammer Web site with the payload coming to the
> Web host's IP addresses instead of the spammer operators' addresses.
>
> Of more interest to me, though, was the monitoring of traffic on our
> currently unallocated IP addresses; *lots* of woodpeckering on a
> wide variety of ports. The reason I originally set up a server that
> would accept packets from all currently-unused IP addresses was to
> minimize the ARP flooding that occurred when someone would hammer on
> an IP address that wasn't in use. Once that was in place, it was a
> trivial matter to monitor abusive traffic and add to the local
> access control list as necessary when requests to the network
> operators of the source of abusive traffic would not take steps to
> remove the people who were not RFC 1855-compliant.
>
> The default server's logs proved to be an excellent way for us to
> detect compromised on-site dedicated servers, particularly those
> servers infected with mal-ware designed to "probe the immediate
> neighborhood" first.
Yep, darknets are a common way to detect that sort of thing, there's
quite a few papers on them.
I'd be pretty worried if my colo provider was limiting what I could do
- but it seems silly to let your average web hosting customer (i.e.
$10/mo php+mysql service) open outgoing TCP sessions to ports other
than 80 and 443. I'm sure there are exceptions to the rule, and they
should be exactly that - exceptions.
--
Nathan Ward
More information about the NANOG
mailing list