EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)

Tomas L. Byrnes tomb at byrneit.net
Mon Jun 23 12:13:20 CDT 2008


Just because something doesn't solve all your problems doesn't mean it
has no value. Anything that can reduce the amount of inspection you have
to do @ content, and filters out the gross cruft, buys you additional
network and systems capacity, using what you have now (firewall, mail
relay). This is a good thing in a real-world network, and goes straight
to the bottom line in reduced opex and capex.

The process of detecting and blocking bad actors, for networks that have
to allow access to/from anywhere, is better than doing nothing.

Marcus also likes to light hay bales on fire. Methinks for the same
reason he makes inflammatory statements: It gets people talking and
thinking, which is a good thing.



> -----Original Message-----
> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
> Sent: Monday, June 23, 2008 9:55 AM
> To: William Herrin
> Cc: Paul Vixie; nanog at merit.edu
> Subject: Re: EC2 and GAE means end of ip address reputation 
> industry? (Re:Intrustion attempts from Amazon EC2 IPs)
> 
> On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:
> 
> > Concur. From an address-reputation perspective EC2 is no different 
> > than, say, China. Connections from China start life much 
> closer to my 
> > filtering threshold that connections from Europe because a 
> far lower 
> > percentage of the connections from China are legitimate. 
> EC2 will get 
> > the same treatment. As that starts to impact Amazon's ability to 
> > maintain and grow the service, they'll do something about 
> it. Or let 
> > it wither. Either way, address reputation solves my problem.
> 
> No, it only solves your problem *if* you can compute a 
> trustable reputation for each address.  For instance, 
> "connections from China" loses if another /12 shows up in the 
> routing table and isn't correctly tagged as "China".  And 
> this fails the other way too - I remember a *lot* of 
> providers were blocking a /8 or so because it was "China", 
> and didn't know that a chunk of that /8 was in fact 
> Australia.  Similarly, you lose if EC2 deploys another /16 
> and you don't pick up on it.
> 
> There's a *reason* that Marcus Ranum listed "Trying to 
> enumerate badness"
> as one of the 6 stupidest ideas in computer security....
> 
> 




More information about the NANOG mailing list