Just because something doesn't solve all your problems doesn't mean it has no value. Anything that can reduce the amount of inspection you have to do @ content, and filters out the gross cruft, buys you additional network and systems capacity, using what you have now (firewall, mail relay). This is a good thing in a real-world network, and goes straight to the bottom line in reduced opex and capex. The process of detecting and blocking bad actors, for networks that have to allow access to/from anywhere, is better than doing nothing. Marcus also likes to light hay bales on fire. Methinks for the same reason he makes inflammatory statements: It gets people talking and thinking, which is a good thing.
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Monday, June 23, 2008 9:55 AM To: William Herrin Cc: Paul Vixie; nanog@merit.edu Subject: Re: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)
On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:
Concur. From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment. As that starts to impact Amazon's ability to maintain and grow the service, they'll do something about it. Or let it wither. Either way, address reputation solves my problem.
No, it only solves your problem *if* you can compute a trustable reputation for each address. For instance, "connections from China" loses if another /12 shows up in the routing table and isn't correctly tagged as "China". And this fails the other way too - I remember a *lot* of providers were blocking a /8 or so because it was "China", and didn't know that a chunk of that /8 was in fact Australia. Similarly, you lose if EC2 deploys another /16 and you don't pick up on it.
There's a *reason* that Marcus Ranum listed "Trying to enumerate badness" as one of the 6 stupidest ideas in computer security....