nanog mailing list archives
RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Mon, 23 Jun 2008 10:13:20 -0700
Just because something doesn't solve all your problems doesn't mean it has no value. Anything that can reduce the amount of inspection you have to do @ content, and filters out the gross cruft, buys you additional network and systems capacity, using what you have now (firewall, mail relay). This is a good thing in a real-world network, and goes straight to the bottom line in reduced opex and capex. The process of detecting and blocking bad actors, for networks that have to allow access to/from anywhere, is better than doing nothing. Marcus also likes to light hay bales on fire. Methinks for the same reason he makes inflammatory statements: It gets people talking and thinking, which is a good thing.
-----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Monday, June 23, 2008 9:55 AM To: William Herrin Cc: Paul Vixie; nanog () merit edu Subject: Re: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:Concur. From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life muchcloser to myfiltering threshold that connections from Europe because afar lowerpercentage of the connections from China are legitimate.EC2 will getthe same treatment. As that starts to impact Amazon's ability to maintain and grow the service, they'll do something aboutit. Or letit wither. Either way, address reputation solves my problem.No, it only solves your problem *if* you can compute a trustable reputation for each address. For instance, "connections from China" loses if another /12 shows up in the routing table and isn't correctly tagged as "China". And this fails the other way too - I remember a *lot* of providers were blocking a /8 or so because it was "China", and didn't know that a chunk of that /8 was in fact Australia. Similarly, you lose if EC2 deploys another /16 and you don't pick up on it. There's a *reason* that Marcus Ranum listed "Trying to enumerate badness" as one of the 6 stupidest ideas in computer security....
Current thread:
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs), (continued)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Al Iverson (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steven Champeon (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Ken Simpson (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Deepak Jain (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Valdis . Kletnieks (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) William Herrin (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Tomas L. Byrnes (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Troy Davis (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Jim Popovitch (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Randy Bush (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steve Gibbard (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Suresh Ramasubramanian (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Roland Dobbins (Jun 22)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Dustin Jurman (Jun 22)
- Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Frank Bulk - iNAME (Jun 23)