nanog mailing list archives
Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
From: Valdis.Kletnieks () vt edu
Date: Mon, 23 Jun 2008 12:55:03 -0400
On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:
Concur. From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment. As that starts to impact Amazon's ability to maintain and grow the service, they'll do something about it. Or let it wither. Either way, address reputation solves my problem.
No, it only solves your problem *if* you can compute a trustable reputation for each address. For instance, "connections from China" loses if another /12 shows up in the routing table and isn't correctly tagged as "China". And this fails the other way too - I remember a *lot* of providers were blocking a /8 or so because it was "China", and didn't know that a chunk of that /8 was in fact Australia. Similarly, you lose if EC2 deploys another /16 and you don't pick up on it. There's a *reason* that Marcus Ranum listed "Trying to enumerate badness" as one of the 6 stupidest ideas in computer security....
Attachment:
_bin
Description:
Current thread:
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs), (continued)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Andy Davidson (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Al Iverson (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steven Champeon (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Ken Simpson (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Deepak Jain (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Valdis . Kletnieks (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) William Herrin (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Tomas L. Byrnes (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Troy Davis (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Jim Popovitch (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Randy Bush (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steve Gibbard (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Suresh Ramasubramanian (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Roland Dobbins (Jun 22)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Dustin Jurman (Jun 22)