North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
- From: Nathan Ward
- Date: Mon Jun 23 02:25:08 2008
On 23/06/2008, at 6:14 PM, Stephen Satchell wrote:
PHP, Perl, Python all provide the ability to generate Socket
connections via TCP and UDP. At the Web hosting company I used to
work at, they ran a "mostly open" policy when it came to outbound
connections. This was particularly true of co-located-equipment and
leased-equipment customers, much more so than the shared-equipment
accounts.
When I monitored traffic, I found that the most common port for
outgoing TCP connections was on port 80. Investigation of TCP
port-22 outbound traffic showed that most of that traffic was SCP
and tunneled RSYNC traffic to single locations.
We found our share of bad apples, such as the the guy who set up a
tunnel between a leased server and his location in Texas, for the
purpose of running a spammer Web site with the payload coming to the
Web host's IP addresses instead of the spammer operators' addresses.
Of more interest to me, though, was the monitoring of traffic on our
currently unallocated IP addresses; *lots* of woodpeckering on a
wide variety of ports. The reason I originally set up a server that
would accept packets from all currently-unused IP addresses was to
minimize the ARP flooding that occurred when someone would hammer on
an IP address that wasn't in use. Once that was in place, it was a
trivial matter to monitor abusive traffic and add to the local
access control list as necessary when requests to the network
operators of the source of abusive traffic would not take steps to
remove the people who were not RFC 1855-compliant.
The default server's logs proved to be an excellent way for us to
detect compromised on-site dedicated servers, particularly those
servers infected with mal-ware designed to "probe the immediate
neighborhood" first.
Yep, darknets are a common way to detect that sort of thing, there's
quite a few papers on them.
I'd be pretty worried if my colo provider was limiting what I could do
- but it seems silly to let your average web hosting customer (i.e.
$10/mo php+mysql service) open outgoing TCP sessions to ports other
than 80 and 443. I'm sure there are exceptions to the rule, and they
should be exactly that - exceptions.
--
Nathan Ward
|