On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said: > Concur. From an address-reputation perspective EC2 is no different > than, say, China. Connections from China start life much closer to my > filtering threshold that connections from Europe because a far lower > percentage of the connections from China are legitimate. EC2 will get > the same treatment. As that starts to impact Amazon's ability to > maintain and grow the service, they'll do something about it. Or let > it wither. Either way, address reputation solves my problem.
No, it only solves your problem *if* you can compute a trustable reputation for each address. For instance, "connections from China" loses if another /12 shows up in the routing table and isn't correctly tagged as "China". And this fails the other way too - I remember a *lot* of providers were blocking a /8 or so because it was "China", and didn't know that a chunk of that /8 was in fact Australia. Similarly, you lose if EC2 deploys another /16 and you don't pick up on it. There's a *reason* that Marcus Ranum listed "Trying to enumerate badness" as one of the 6 stupidest ideas in computer security....
pgpJgdICJZk2z.pgp
Description: PGP signature
