[105430] in North American Network Operators' Group
RE: EC2 and GAE means end of ip address reputation industry?
daemon@ATHENA.MIT.EDU (Tomas L. Byrnes)
Mon Jun 23 13:13:49 2008
Date: Mon, 23 Jun 2008 10:13:20 -0700
In-Reply-To: <18680.1214240103@turing-police.cc.vt.edu>
From: "Tomas L. Byrnes" <tomb@byrneit.net>
To: <Valdis.Kletnieks@vt.edu>, "William Herrin" <herrin-nanog@dirtside.com>
Cc: Paul Vixie <vixie@isc.org>, nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Just because something doesn't solve all your problems doesn't mean it
has no value. Anything that can reduce the amount of inspection you have
to do @ content, and filters out the gross cruft, buys you additional
network and systems capacity, using what you have now (firewall, mail
relay). This is a good thing in a real-world network, and goes straight
to the bottom line in reduced opex and capex.
The process of detecting and blocking bad actors, for networks that have
to allow access to/from anywhere, is better than doing nothing.
Marcus also likes to light hay bales on fire. Methinks for the same
reason he makes inflammatory statements: It gets people talking and
thinking, which is a good thing.
> -----Original Message-----
> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]=20
> Sent: Monday, June 23, 2008 9:55 AM
> To: William Herrin
> Cc: Paul Vixie; nanog@merit.edu
> Subject: Re: EC2 and GAE means end of ip address reputation=20
> industry? (Re:Intrustion attempts from Amazon EC2 IPs)
>=20
> On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:
>=20
> > Concur. From an address-reputation perspective EC2 is no different=20
> > than, say, China. Connections from China start life much=20
> closer to my=20
> > filtering threshold that connections from Europe because a=20
> far lower=20
> > percentage of the connections from China are legitimate.=20
> EC2 will get=20
> > the same treatment. As that starts to impact Amazon's ability to=20
> > maintain and grow the service, they'll do something about=20
> it. Or let=20
> > it wither. Either way, address reputation solves my problem.
>=20
> No, it only solves your problem *if* you can compute a=20
> trustable reputation for each address. For instance,=20
> "connections from China" loses if another /12 shows up in the=20
> routing table and isn't correctly tagged as "China". And=20
> this fails the other way too - I remember a *lot* of=20
> providers were blocking a /8 or so because it was "China",=20
> and didn't know that a chunk of that /8 was in fact=20
> Australia. Similarly, you lose if EC2 deploys another /16=20
> and you don't pick up on it.
>=20
> There's a *reason* that Marcus Ranum listed "Trying to=20
> enumerate badness"
> as one of the 6 stupidest ideas in computer security....
>=20
>=20
