Just because something doesn't solve all your problems doesn't mean it has no value. Anything that can reduce the amount of inspection you have to do @ content, and filters out the gross cruft, buys you additional network and systems capacity, using what you have now (firewall, mail relay). This is a good thing in a real-world network, and goes straight to the bottom line in reduced opex and capex.
The process of detecting and blocking bad actors, for networks that have to allow access to/from anywhere, is better than doing nothing. Marcus also likes to light hay bales on fire. Methinks for the same reason he makes inflammatory statements: It gets people talking and thinking, which is a good thing. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 9:55 AM > To: William Herrin > Cc: Paul Vixie; [EMAIL PROTECTED] > Subject: Re: EC2 and GAE means end of ip address reputation > industry? (Re:Intrustion attempts from Amazon EC2 IPs) > > On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said: > > > Concur. From an address-reputation perspective EC2 is no different > > than, say, China. Connections from China start life much > closer to my > > filtering threshold that connections from Europe because a > far lower > > percentage of the connections from China are legitimate. > EC2 will get > > the same treatment. As that starts to impact Amazon's ability to > > maintain and grow the service, they'll do something about > it. Or let > > it wither. Either way, address reputation solves my problem. > > No, it only solves your problem *if* you can compute a > trustable reputation for each address. For instance, > "connections from China" loses if another /12 shows up in the > routing table and isn't correctly tagged as "China". And > this fails the other way too - I remember a *lot* of > providers were blocking a /8 or so because it was "China", > and didn't know that a chunk of that /8 was in fact > Australia. Similarly, you lose if EC2 deploys another /16 > and you don't pick up on it. > > There's a *reason* that Marcus Ranum listed "Trying to > enumerate badness" > as one of the 6 stupidest ideas in computer security.... > >
