North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)
Just because something doesn't solve all your problems doesn't mean it has no value. Anything that can reduce the amount of inspection you have to do @ content, and filters out the gross cruft, buys you additional network and systems capacity, using what you have now (firewall, mail relay). This is a good thing in a real-world network, and goes straight to the bottom line in reduced opex and capex. The process of detecting and blocking bad actors, for networks that have to allow access to/from anywhere, is better than doing nothing. Marcus also likes to light hay bales on fire. Methinks for the same reason he makes inflammatory statements: It gets people talking and thinking, which is a good thing. > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, June 23, 2008 9:55 AM > To: William Herrin > Cc: Paul Vixie; [email protected] > Subject: Re: EC2 and GAE means end of ip address reputation > industry? (Re:Intrustion attempts from Amazon EC2 IPs) > > On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said: > > > Concur. From an address-reputation perspective EC2 is no different > > than, say, China. Connections from China start life much > closer to my > > filtering threshold that connections from Europe because a > far lower > > percentage of the connections from China are legitimate. > EC2 will get > > the same treatment. As that starts to impact Amazon's ability to > > maintain and grow the service, they'll do something about > it. Or let > > it wither. Either way, address reputation solves my problem. > > No, it only solves your problem *if* you can compute a > trustable reputation for each address. For instance, > "connections from China" loses if another /12 shows up in the > routing table and isn't correctly tagged as "China". And > this fails the other way too - I remember a *lot* of > providers were blocking a /8 or so because it was "China", > and didn't know that a chunk of that /8 was in fact > Australia. Similarly, you lose if EC2 deploys another /16 > and you don't pick up on it. > > There's a *reason* that Marcus Ranum listed "Trying to > enumerate badness" > as one of the 6 stupidest ideas in computer security.... > >
|