nanog mailing list archives

RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)

From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Mon, 23 Jun 2008 10:13:20 -0700

Just because something doesn't solve all your problems doesn't mean it
has no value. Anything that can reduce the amount of inspection you have
to do @ content, and filters out the gross cruft, buys you additional
network and systems capacity, using what you have now (firewall, mail
relay). This is a good thing in a real-world network, and goes straight
to the bottom line in reduced opex and capex.

The process of detecting and blocking bad actors, for networks that have
to allow access to/from anywhere, is better than doing nothing.

Marcus also likes to light hay bales on fire. Methinks for the same
reason he makes inflammatory statements: It gets people talking and
thinking, which is a good thing.

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Monday, June 23, 2008 9:55 AM
To: William Herrin
Cc: Paul Vixie; nanog () merit edu
Subject: Re: EC2 and GAE means end of ip address reputation 
industry? (Re:Intrustion attempts from Amazon EC2 IPs)

On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:

Concur. From an address-reputation perspective EC2 is no different 
than, say, China. Connections from China start life much

closer to my

filtering threshold that connections from Europe because a

far lower

percentage of the connections from China are legitimate.

EC2 will get

the same treatment. As that starts to impact Amazon's ability to 
maintain and grow the service, they'll do something about

it. Or let

it wither. Either way, address reputation solves my problem.


No, it only solves your problem *if* you can compute a 
trustable reputation for each address.  For instance, 
"connections from China" loses if another /12 shows up in the 
routing table and isn't correctly tagged as "China".  And 
this fails the other way too - I remember a *lot* of 
providers were blocking a /8 or so because it was "China", 
and didn't know that a chunk of that /8 was in fact 
Australia.  Similarly, you lose if EC2 deploys another /16 
and you don't pick up on it.

There's a *reason* that Marcus Ranum listed "Trying to 
enumerate badness"
as one of the 6 stupidest ideas in computer security....

Current thread:

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs), (continued)
- - - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Al Iverson (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steven Champeon (Jun 23)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 23)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Ken Simpson (Jun 24)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Deepak Jain (Jun 24)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Valdis . Kletnieks (Jun 24)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) William Herrin (Jun 23)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
    - RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Tomas L. Byrnes (Jun 23)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Troy Davis (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Jim Popovitch (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Randy Bush (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steve Gibbard (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Suresh Ramasubramanian (Jun 22)
    - Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Roland Dobbins (Jun 22)
    - RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Dustin Jurman (Jun 22)
    - Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Frank Bulk - iNAME (Jun 23)

(Thread continues...)