Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Eliot Lear]

Hi Paul,

Let's go back to the case and point: Amazon is claimed not to behave as 
a good Netizen.[*]  In these circumstances we have to ask why the 
traditional system doesn't work.  This is precisely the case when you 
want to ding someone's reputation.  Your argument that many good 
applications will be running to counterbalance the bad depends on 
whether those running the good applications will tolerate intermittent 
outages because the bad applications cause the sites to get blacklisted.


Also, let's remember that reputation means different things in different 
contexts.  One could easily envision a cloud having a good web 
reputation and a lousy or at best neutral email reputation.[**]  In 
addition, the risks of infection are also very different.  In the web 
case, if a host connects to a known infected site, its risk of becoming 
infected is very high, compared to the risk of someone receiving an 
email message that points to spam.  This means to me that end users who 
are protecting themselves with some sort of web reputation service are 
likely to guard against clouds and not quickly whitelist them.


But there's also the possibility for web reputation services to improve 
granularity above and beyond the IP address, but this depends on quite a 
number of things, such as whether SSL is used and where and how 
information is collected by the services.[***]


And so the question boils down to this: will Amazon and its ilk adapt to 
the current reputation services model or will it be the other way 
around?  I think it will be both, but more the former than the latter.


Eliot

[*] Not my claim.
[**] Email reputation is commonly applied to messages and to TCP/25.  
For our purposes, although it's overly simplistic, let's view web 
reputation as everything else.
[***] Self-signed certs are a clearly interesting area to consider when 
it comes to THEIR reputations.  The same can be said for any X.509 CA 
that itself doesn't do a good job of confirming the identity of a 
requestor.  I don't suggest that this should be a sole input or even a 
significant discriminator in and of itself, of course.

Spamcop

[Mehmet Akcin]

Hi

If there are some members of Spamcop here, please contact me off-list

Mehmet


smime.p7s
Description: S/MIME cryptographic signature

Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Frank Bulk - iNAME]

When I hear "cloud services" I think "in the network" even though it appears
all these cloud services perform their work at a data center as an
outsourced service.

Is there a vendor that makes a product that perform spam/malware filtering
literally in the network, i.e. as a service provider, can I provide spam
filtering for the enterprises in my customer base by adding a piece of
network gear?  I'm not aware of one today except those who provide
enterprise-oriented gateways like SonicWall.

Frank

-Original Message-
From: Roland Dobbins [mailto:[EMAIL PROTECTED] 
Sent: Sunday, June 22, 2008 9:20 PM
To: [EMAIL PROTECTED]
Subject: Re: EC2 and GAE means end of ip address reputation industry? (Re:
Intrustion attempts from Amazon EC2 IPs)

 

This is far different from free email Google or Hotmail - these cloud
services (EC2, Mosso, Slicehost, Terremark's Enterprise Cloud,
Telstra's new service, AppEngine, et.al.) are where many popular new
Internet applications will live, and, even more significantly, where
an increasing amount large-scale enterprise computing (like banking,
pharma, government, and so forth) will take place.

I foresee interesting times ahead.

---
Roland Dobbins <[EMAIL PROTECTED]> // +66.83.266.6344 mobile

  History is a great teacher, but it also lies with impunity.

-- John Robb

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Paul Vixie]

eliot wrote:

> Let's go back to the case and point: Amazon is claimed not to behave as a
> good Netizen.[*] In these circumstances we have to ask why the traditional
> system doesn't work.  This is precisely the case when you want to ding
> someone's reputation.  Your argument that many good applications will be
> running to counterbalance the bad depends on whether those running the good
> applications will tolerate intermittent outages because the bad applications
> cause the sites to get blacklisted.

my argument doesn't get that far, actually.  i think there will be no outages
because recipients of abuse won't feel that they can afford to toss out the
good with the bad in this particular case.  which is going to remind of me
tom lehrer's quip, "feels like a christian scientist with appendicitis" once
an EC2 customer instance gets infected with malware that then ddos's somebody.

> But there's also the possibility for web reputation services to improve
> granularity above and beyond the IP address, but this depends on quite a
> number of things, such as whether SSL is used and where and how information
> is collected by the services.[***]

i suppose i have been too prolific here of late, since i predicted exactly
that, but it's no doubt buried in some response of mine that you did not read.

> And so the question boils down to this: will Amazon and its ilk adapt to
> the current reputation services model or will it be the other way around?
> I think it will be both, but more the former than the latter.

i think it will be both, and more the latter than the former.  i'm basing this
prediction on leverage, risks, and costs.  if amazon and google and anyone
else who provides large scale virtualization (where "large scale" means there
is no in-person meeting to kick off the relationship, no credit check on the
customer, and so on) knows that their good customers are so valuable to the
rest of the world that some number of bad customers mixed in will not matter,
then their rational decision will be to discover the break point and enforce
that much and no more.  this is how big companies get big and stay big; it's
what ISP's have always done wrt their abuse desks; it's the break point i
sought to move with MAPS; and the basis for that break point is in a totally
different place for (server-side large-scale no-fixed-ip).

paul

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Patrick Giagnocavo]

Paul Vixie wrote:


my argument doesn't get that far, actually.  i think there will be no outages
because recipients of abuse won't feel that they can afford to toss out the
good with the bad in this particular case.  which is going to remind of me
tom lehrer's quip, "feels like a christian scientist with appendicitis" once
an EC2 customer instance gets infected with malware that then ddos's somebody.


What has been missing from this entire thread, is the input/experiences 
of those who are actually using EC2 to run their web sites.


If you look at places where people are actually running EC2 in either 
testing or production, you will find that they are concerned about 
legitimate email from their EC2 instances actually reaching their customers.


See for instance, the many EC2 threads on Paul Graham's "Hacker News" 
site at http://news.ycombinator.com (best to use Google to search the 
site probably).


What I think would/should happen is that EC2 is never assumed to be a 
legitimate source of email; and any EC2 instance that sends email will 
instead be relaying through a non-EC2 mail server.


Cordially

Patrick

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Suresh Ramasubramanian]

On Mon, Jun 23, 2008 at 7:20 PM, Patrick Giagnocavo <[EMAIL PROTECTED]> wrote:
> What I think would/should happen is that EC2 is never assumed to be a
> legitimate source of email; and any EC2 instance that sends email will
> instead be relaying through a non-EC2 mail server.

Mail / spam seems to be the least of ec2's problems though. This
thread started off with ssh port probes.

srs

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Suresh Ramasubramanian]

On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME <[EMAIL PROTECTED]> wrote:
> Is there a vendor that makes a product that perform spam/malware filtering
> literally in the network, i.e. as a service provider, can I provide spam
> filtering for the enterprises in my customer base by adding a piece of
> network gear?  I'm not aware of one today except those who provide
> enterprise-oriented gateways like SonicWall.

Symantec Mail Security / Turntide
Mailchannels Traffic Control

--srs

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Australian Co-Lo

[Bernard Becker]

Looking for recommendations for carrier neutral co-lo facility for Melbourne
Australia. Our searches so far seem to turn up sites either on Telstra or
Optus affiliated co-lo facilities. We need to be in a carrier neutral space
with access to any of the major providers.

Searching for co-lo space in Australia from Toronto is somewhat challenging.
Websites make lots of claims that can't be validated without going and
seeing the place.


Bernard Becker
Senior Network Architect
Filogix - A Davis & Henderson Company.
Tel: 416-360-1777 x3341
Fax: 416-847-5816
Toll Free: 1-866-435-6165

Re: Australian Co-Lo

[Martin Barry]

$quoted_author = "Bernard Becker" ;
> 
> Looking for recommendations for carrier neutral co-lo facility for Melbourne
> Australia. Our searches so far seem to turn up sites either on Telstra or
> Optus affiliated co-lo facilities. We need to be in a carrier neutral space
> with access to any of the major providers.

This was created by a SAGE-AU member in response to a similar request.

http://maps.google.com/maps/ms?msa=0&msid=117984623075363696099.000439d39e1c7bd8d46c2&ie=UTF8&z=12

cheers
Marty 

RE: Australian Co-Lo

[Skeeve Stevens]

If it doesn't need to be Melbourne, there is a good selection in Sydney.

The best being Equinix and Globalswitch

...Skeeve


--
Skeeve Stevens, Managing Director
eintellego Pty Ltd - The ISP Specialists
[EMAIL PROTECTED] / www.eintellego.net
Phone: (+612) 8197 2760, Fax: (+612) 8572 9954
Cell +61 (0)414 753 383 / skype://skeeve
--
NOC, NOC, who's there?




-Original Message-
From: Martin Barry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 24 June 2008 1:05 AM
To: nanog@nanog.org
Subject: Re: Australian Co-Lo

$quoted_author = "Bernard Becker" ;
> 
> Looking for recommendations for carrier neutral co-lo facility for
Melbourne
> Australia. Our searches so far seem to turn up sites either on Telstra or
> Optus affiliated co-lo facilities. We need to be in a carrier neutral
space
> with access to any of the major providers.

This was created by a SAGE-AU member in response to a similar request.

http://maps.google.com/maps/ms?msa=0&msid=117984623075363696099.000439d39e1c
7bd8d46c2&ie=UTF8&z=12

cheers
Marty 

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Colin Alston]

On 2008/06/22 06:17 PM Paul Vixie wrote:

with EC2, it's game-over for the IP reputation industry


Realistically speaking, did you not expect that to be inevitable?

As access to the internet increases, the chances of SMTP scaling to 
prevent spam decreases. And as IP's become more numerous and 
'chuckable' (so much more so with IPv6 around the corner), the idea of 
a blacklist becomes ever more useless.


What we need is a new mail protocol.. [But people have been saying 
that for decades now]

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[William Herrin]

On Sun, Jun 22, 2008 at 12:55 PM, Andy Davidson <[EMAIL PROTECTED]> wrote:
> On 22 Jun 2008, at 17:17, Paul Vixie wrote:
>> with EC2, it's game-over for the IP reputation industry,

> I was discussing this on an e-commerce practitioners list earlier today, and
> argued basically that, from an abuse point of view, EC2 is the same as any
> other bad neighborhood, and that operators needing to make impact fast, will
> treat it as they do any other bad neighborhood.


Concur. From an address-reputation perspective EC2 is no different
than, say, China. Connections from China start life much closer to my
filtering threshold that connections from Europe because a far lower
percentage of the connections from China are legitimate. EC2 will get
the same treatment. As that starts to impact Amazon's ability to
maintain and grow the service, they'll do something about it. Or let
it wither. Either way, address reputation solves my problem.

Regards,
Bill Herrin

-- 
William D. Herrin  [EMAIL PROTECTED] [EMAIL PROTECTED]
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Valdis . Kletnieks]

On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:

> Concur. From an address-reputation perspective EC2 is no different
> than, say, China. Connections from China start life much closer to my
> filtering threshold that connections from Europe because a far lower
> percentage of the connections from China are legitimate. EC2 will get
> the same treatment. As that starts to impact Amazon's ability to
> maintain and grow the service, they'll do something about it. Or let
> it wither. Either way, address reputation solves my problem.

No, it only solves your problem *if* you can compute a trustable reputation for
each address.  For instance, "connections from China" loses if another /12
shows up in the routing table and isn't correctly tagged as "China".  And
this fails the other way too - I remember a *lot* of providers were blocking
a /8 or so because it was "China", and didn't know that a chunk of that /8
was in fact Australia.  Similarly, you lose if EC2 deploys another /16 and
you don't pick up on it.

There's a *reason* that Marcus Ranum listed "Trying to enumerate badness"
as one of the 6 stupidest ideas in computer security



pgpJgdICJZk2z.pgp
Description: PGP signature

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Paul Vixie]

> > with EC2, it's game-over for the IP reputation industry
> 
> Realistically speaking, did you not expect that to be inevitable?

i didn't, no.  when i unknowingly launched the IP reputation industry back
in the mid 1990's, the risk i was managing was a spammer who planned to give
away free T1 lines to anyone who would run a spam relay for them.  everything
in those days was fixed ip on wire lines.  when the game changed to open relay
and open proxy and then malware-botnets, i saw a great deal of pressure on the
model since a given IP address could represent different endpoints at various
times of the day, and each endpoint could be cleaned and reinfected many times
in a month, but with short TTLs on the DNS RBL, it was still possible to keep
the pressure on the infected endpoints and their ISPs, since they bore the
greatest cost of their own misbehaviour, and reputation-entropy was a cheap
component of the overall error rate.  so, no.

> As access to the internet increases, the chances of SMTP scaling to prevent
> spam decreases. And as IP's become more numerous and 'chuckable' (so much
> more so with IPv6 around the corner), the idea of a blacklist becomes ever
> more useless.

yes, but that was a shallow curve, whereas EC2/GAE/etc is a steep curve.

> What we need is a new mail protocol.. [But people have been saying that for
> decades now]

several excellent, scalable replacements for smtp have been patented.  all we
have to do is globally agree to enrich those patent holders and our problems
will be solved.

RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)

[Tomas L. Byrnes]

Just because something doesn't solve all your problems doesn't mean it
has no value. Anything that can reduce the amount of inspection you have
to do @ content, and filters out the gross cruft, buys you additional
network and systems capacity, using what you have now (firewall, mail
relay). This is a good thing in a real-world network, and goes straight
to the bottom line in reduced opex and capex.

The process of detecting and blocking bad actors, for networks that have
to allow access to/from anywhere, is better than doing nothing.

Marcus also likes to light hay bales on fire. Methinks for the same
reason he makes inflammatory statements: It gets people talking and
thinking, which is a good thing.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Monday, June 23, 2008 9:55 AM
> To: William Herrin
> Cc: Paul Vixie; [EMAIL PROTECTED]
> Subject: Re: EC2 and GAE means end of ip address reputation 
> industry? (Re:Intrustion attempts from Amazon EC2 IPs)
> 
> On Mon, 23 Jun 2008 11:38:16 EDT, William Herrin said:
> 
> > Concur. From an address-reputation perspective EC2 is no different 
> > than, say, China. Connections from China start life much 
> closer to my 
> > filtering threshold that connections from Europe because a 
> far lower 
> > percentage of the connections from China are legitimate. 
> EC2 will get 
> > the same treatment. As that starts to impact Amazon's ability to 
> > maintain and grow the service, they'll do something about 
> it. Or let 
> > it wither. Either way, address reputation solves my problem.
> 
> No, it only solves your problem *if* you can compute a 
> trustable reputation for each address.  For instance, 
> "connections from China" loses if another /12 shows up in the 
> routing table and isn't correctly tagged as "China".  And 
> this fails the other way too - I remember a *lot* of 
> providers were blocking a /8 or so because it was "China", 
> and didn't know that a chunk of that /8 was in fact 
> Australia.  Similarly, you lose if EC2 deploys another /16 
> and you don't pick up on it.
> 
> There's a *reason* that Marcus Ranum listed "Trying to 
> enumerate badness"
> as one of the 6 stupidest ideas in computer security
> 
> 

RE: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Tomas L. Byrnes]

Barracuda, or you could build the exact same thing using OSS.

Procmail, Spamassasin, ClamAV, and your choice of RBLs (or use
karmashpere to custom roll a hybrid one).

 

> -Original Message-
> From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] 
> Sent: Monday, June 23, 2008 7:16 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of 
> ip addressreputation industry? (Re: Intrustion attempts from 
> Amazon EC2 IPs)]
> 
> On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME 
> <[EMAIL PROTECTED]> wrote:
> > Is there a vendor that makes a product that perform spam/malware 
> > filtering literally in the network, i.e. as a service 
> provider, can I 
> > provide spam filtering for the enterprises in my customer base by 
> > adding a piece of network gear?  I'm not aware of one today except 
> > those who provide enterprise-oriented gateways like SonicWall.
> 
> Symantec Mail Security / Turntide
> Mailchannels Traffic Control
> 
> --srs
> 
> --
> Suresh Ramasubramanian ([EMAIL PROTECTED])
> 
> 

RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs)

[Tomas L. Byrnes]

You can easily make IP reputation scale to IPV6 using the APL RRTYPE.

See RFC3123

 

> -Original Message-
> From: Colin Alston [mailto:[EMAIL PROTECTED] 
> Sent: Monday, June 23, 2008 8:18 AM
> To: Paul Vixie
> Cc: [EMAIL PROTECTED]
> Subject: Re: EC2 and GAE means end of ip address reputation 
> industry? (Re:Intrustion attempts from Amazon EC2 IPs)
> 
> On 2008/06/22 06:17 PM Paul Vixie wrote:
> > with EC2, it's game-over for the IP reputation industry
> 
> Realistically speaking, did you not expect that to be inevitable?
> 
> As access to the internet increases, the chances of SMTP 
> scaling to prevent spam decreases. And as IP's become more 
> numerous and 'chuckable' (so much more so with IPv6 around 
> the corner), the idea of a blacklist becomes ever more useless.
> 
> What we need is a new mail protocol.. [But people have been 
> saying that for decades now]
> 
> 

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Steven Champeon]

on Sun, Jun 22, 2008 at 01:24:43PM -0500, Al Iverson wrote:
> I'm not going to pretend I manage inbound mail service for
> thousands-to-millions of users (as most of the participants of other
> lists like SPAM-L are fond of imagining themselves), but I know enough
> about how IP reputation systems work at ISPs to know that if I did
> manage inbound mail for such a userbase, the EC2 IPs would be blocked
> repeatedly and often, and there would come a point where the blocks
> escalate to /24s and larger, and there would come a point where the
> blocks are removed slower and less often.

I don't pretend to manage inbound mail service for more than dozens, but
I do provide a service via enemieslist that is indirectly used by
millions, and out of the over 32K rDNS naming conventions I've
catalogued and classified, in terms of their dynamicity/staticity/etc.,
only four are related to Amazon/EC2.

Now, if the entire 'Net moved to a cloud computing model, I could agree
with Paul that this would be the end of IP reputation. But I'm only
aware of two such services (Amazon EC2 and Media Temple's
gridserver.com) in widespread use, so I haven't bothered to come up with
a new classification for them, and treat them as essentially dynamic
(with gridserver.com also classified as 'webhost').

I moved away from the strictly IP-based reputation model several years
ago (though I still use DNSBLs as a practical tool), and instead treat
classes of IPs as a set about which certain reputation-ish qualities can
be asserted, which works very well in a scoring-style context.

Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Joel Jaeggli]

Frank Bulk - iNAME wrote:

When I hear "cloud services" I think "in the network" even though it appears
all these cloud services perform their work at a data center as an
outsourced service.

Is there a vendor that makes a product that perform spam/malware filtering
literally in the network, i.e. as a service provider, can I provide spam
filtering for the enterprises in my customer base by adding a piece of
network gear?  I'm not aware of one today except those who provide
enterprise-oriented gateways like SonicWall.


dpi boxes from a number of vendors can do that sort of thing... whether 
they can do it fast enough to be inline with your compute cloud is 
another question entirely.


That said the result is fairly perilous when rejecting a message 
involves forging packets. and of course tls supporting mta's will be 
opaque to the network traffic inspecting device.



Frank

-Original Message-
From: Roland Dobbins [mailto:[EMAIL PROTECTED] 
Sent: Sunday, June 22, 2008 9:20 PM

To: [EMAIL PROTECTED]
Subject: Re: EC2 and GAE means end of ip address reputation industry? (Re:
Intrustion attempts from Amazon EC2 IPs)

 


This is far different from free email Google or Hotmail - these cloud
services (EC2, Mosso, Slicehost, Terremark's Enterprise Cloud,
Telstra's new service, AppEngine, et.al.) are where many popular new
Internet applications will live, and, even more significantly, where
an increasing amount large-scale enterprise computing (like banking,
pharma, government, and so forth) will take place.

I foresee interesting times ahead.

---
Roland Dobbins <[EMAIL PROTECTED]> // +66.83.266.6344 mobile

  History is a great teacher, but it also lies with impunity.

-- John Robb

RE: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Frank Bulk]

Interesting.  I was more thinking of the Turntide approach which operates
within the network stream than Mailchannels which appears to operate on the
same server as the MTA, but in front of it. 

Frank

-Original Message-
From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 9:16 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME <[EMAIL PROTECTED]>
wrote:
> Is there a vendor that makes a product that perform spam/malware filtering
> literally in the network, i.e. as a service provider, can I provide spam
> filtering for the enterprises in my customer base by adding a piece of
> network gear?  I'm not aware of one today except those who provide
> enterprise-oriented gateways like SonicWall.

Symantec Mail Security / Turntide
Mailchannels Traffic Control

--srs

--
Suresh Ramasubramanian ([EMAIL PROTECTED])

RE: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Frank Bulk]

Thanks.  Even with TLS, the destination port (either 25 or 365) is
well-known, right, as is the source IP?  At the minimum RBLs could be used
for that encrypted traffic.  

Frank 

-Original Message-
From: Joel Jaeggli [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 2:20 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]



dpi boxes from a number of vendors can do that sort of thing... whether
they can do it fast enough to be inline with your compute cloud is
another question entirely.

That said the result is fairly perilous when rejecting a message
involves forging packets. and of course tls supporting mta's will be
opaque to the network traffic inspecting device.

Re: smstools and CDMA

[Mr. James W. Laferriere]

Hello Kevin ,

On Sat, 21 Jun 2008, Kevin Blackham wrote:

And in my experience (many years back), a nokia handset would start
draining its ups as soon as it got a full charge, requiring daily
reseat of the supply cord. YMMV so test and retest.

On 6/21/08, Phil Regnauld <[EMAIL PROTECTED]> wrote:

Douglas K. Rand (rand) writes:


Phil>Alternatively, have you considered a Nokia handset with Gnokii ?

No, not really. I was thinking that a "modem" would be a little more
robust and easier to deal with in the rack than a handset would be. If
I'm given a choice, I think I'd stay away from a handset, but I may
not have a choice.  :)


Think about it: mobile handsets have built-in UPSes :)


If that s/b the case try using a Power Timer ie: something like ,

http://www.simplyhydroponics.com/24hr_digital_timer.htm ,

And program it to turn off once a week for 2-3 minutes .

Hth ,  JimL
--
+--+
| James   W.   Laferriere | SystemTechniques | Give me VMS |
| Network&System Engineer | 2133McCullam Ave |  Give me Linux  |
| [EMAIL PROTECTED] | Fairbanks, AK. 99701 |   only  on  AXP |
+--+

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

[Valdis . Kletnieks]

On Mon, 23 Jun 2008 14:28:04 EDT, Steven Champeon said:
> Now, if the entire 'Net moved to a cloud computing model, I could agree
> with Paul that this would be the end of IP reputation. But I'm only
> aware of two such services (Amazon EC2 and Media Temple's
> gridserver.com) in widespread use, so I haven't bothered to come up with
> a new classification for them, and treat them as essentially dynamic
> (with gridserver.com also classified as 'webhost').

One could argue that the "botnets for rent" business model is in more widespread
use than either EC2 or gridserver...

I'm unclear whether that statement needs a smiley or not...



pgpEu0kqS6B95.pgp
Description: PGP signature

Techniques for passive traffic capturing

[Ross Vandegrift]

Hello everyone,

Over the past two years, there's been a trend toward doing more and
more analysis and reporting based on passive traffic analysis.

We started out using SPAN sessions to produce an extra copy of all of
our transit links for these purposes.  But the Cisco limits of two
SPAN sessions per device (on our platforms) is a major limitation.

Does anyone have a better soultion for more flexible data collection?

I've been thinking about a move to a system based on optical taps of
each of the links.  I'd aggregate these links into something like a
3750 and use remote-span VLANs to pass the traffic onto servers that
sniffing on their interface on that 3750.  Do products like the
NetOptics Matrix Switches offer a substantial advantage?

Comments or suggestions?


-- 
Ross Vandegrift
[EMAIL PROTECTED]

"The good Christian should beware of mathematicians, and all those who
make empty prophecies. The danger already exists that the mathematicians
have made a covenant with the devil to darken the spirit and to confine
man in the bonds of Hell."
--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37

Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Joel Jaeggli]

Frank Bulk wrote:

Thanks.  Even with TLS, the destination port (either 25 or 365) is
well-known, right, as is the source IP? 


And 587 though that's generally your customers, who are going authenticate.


At the minimum RBLs could be used
for that encrypted traffic.  


Yeah, given that that point you're basically filtering by ip again, you 
can do that with a bgp community. That's not really smtp filtering anymore.


Frank 


-Original Message-
From: Joel Jaeggli [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 2:20 PM

To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]



dpi boxes from a number of vendors can do that sort of thing... whether
they can do it fast enough to be inline with your compute cloud is
another question entirely.

That said the result is fairly perilous when rejecting a message
involves forging packets. and of course tls supporting mta's will be
opaque to the network traffic inspecting device.

Re: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Ken Simpson]

On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME iname.com> wrote:
> Is there a vendor that makes a product that perform spam/malware  
filtering
> literally in the network, i.e. as a service provider, can I  
provide spam
> filtering for the enterprises in my customer base by adding a  
piece of

> network gear?  I'm not aware of one today except those who provide
> enterprise-oriented gateways like SonicWall.

Symantec Mail Security / Turntide
Mailchannels Traffic Control

--srs


BTW, we CAN do "in the cloud" email traffic shaping - on EC2,  
ironically. But also on your own equipment if that's your preference.


Regards,
Ken

--
Ken Simpson
CEO

MailChannels - Reliable Email Delivery
http://mailchannels.com
604 685 7488 tel

Re: EC2 and GAE means end of ip address reputation industry? (Re:

[Paul Vixie]

[EMAIL PROTECTED] writes:

> One could argue that the "botnets for rent" business model is in more
> widespread use than either EC2 or gridserver...
> 
> I'm unclear whether that statement needs a smiley or not...

i'd say that since EC2 won't be shut down when it's found out about, that
you need a smiley.  "widespread use" is too narrow a term.  none of us
expects white-hat e-commerce business to move into rented botnets, and
rented botnets aren't all going to be in the same address space or ASN.
-- 
Paul Vixie

Re: Techniques for passive traffic capturing

[Nathan Ward]

On 24/06/2008, at 8:32 AM, Ross Vandegrift wrote:

I've been thinking about a move to a system based on optical taps of
each of the links.  I'd aggregate these links into something like a
3750 and use remote-span VLANs to pass the traffic onto servers that
sniffing on their interface on that 3750.  Do products like the
NetOptics Matrix Switches offer a substantial advantage?

Comments or suggestions?




I see little point in aggregating tapped traffic, unless you have only  
a small amount of it and you're doing it to save cost on monitoring  
network interfaces - but is that saved cost still a saving when you  
factor in the cost of the extra 3750s in the middle? I'd guess no.


Depending on how well saturated your circuits are, get double- or  
quad- GE network cards (Intel make some fixed ones, there are others  
that take SFPs and fat GBICs) and plug them directly in to the optical  
taps. If you need your monitoring equipment a distance from the  
optical taps, use netoptic's regeneration taps, which split 70/30 and  
then amplify the 30 before sending to your equipment on a different  
floor/whatever.


There are other vendors, I like netoptics because they have cute  
purple optical patch leads, provide per-tap specs as tested at the  
factory, and they all worked beautifully out of the box - another  
vendor had a 50% failure rate, I've forgotten who they were though.


A PC with 4 GE optical ports is much simpler and probably more cost  
effective than doing remote span complications.


Note that for a single GE link, you'd need 2GE of remote span backhaul  
(one GE in each direction).


Matrix switches aren't useful for your case, as you're talking about  
monitoring for trending etc. I think. Matrix switches are good when  
you have lots of links, and want to be able to switch between them. Is  
the cost of matrix switch ports worth the saving in GE interfaces on  
PCs?


Netoptics have taps that aggregate several links in to one monitoring  
feed. Not really cost effective when the cost of a single GE network  
interface for a PC is so low.


The above is based on the assumption you're using PCs for monitoring,  
the economics of aggregating tap traffic may make more sense if you're  
using some fancy monitoring platform.


If you find that you need lots of GE interfaces per PC or something,  
and are saturating the PCI bus, look at DAG cards from Endace. They're  
designed for passive monitoring, and will send you only headers and do  
BPF in hardware. I looked at these for a similar project, but didn't  
bother as it was cheaper to buy more PC chassis' and commodity GE  
cards. They can do 10GE monitoring, so if you need several 10GE's per  
chassis I'd recommend these.



--
Nathan Ward

Re: Australian Co-Lo

[Julien Goodwin]

On 24/06/08 01:04, Martin Barry wrote:
> $quoted_author = "Bernard Becker" ;
>> Looking for recommendations for carrier neutral co-lo facility for Melbourne
>> Australia. Our searches so far seem to turn up sites either on Telstra or
>> Optus affiliated co-lo facilities. We need to be in a carrier neutral space
>> with access to any of the major providers.
> 
> This was created by a SAGE-AU member in response to a similar request.
> 
> http://maps.google.com/maps/ms?msa=0&msid=117984623075363696099.000439d39e1c7bd8d46c2&ie=UTF8&z=12

In addition to those there's the PIPE and AAPT

http://www.pipenetworks.com/Telehousing/locations.shtml

http://aaptbusiness.com.au/business/products/Hosting/Co2DlocationServices.cfm?o=214

Both are ISP's, but have extensive cross connections.

We currently use AAPT (10+ racks in Richmond), and I've previously used
Global Center and been happy with both.

RE: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Frank Bulk - iNAME]

Ken:

Thanks for the info, but that still requires the domain owner to change
their MX records.  I was wondering if there was something that could
literally be placed in the flow of traffic, like an FWSM in transparent
mode.

Frank

-Original Message-
From: Ken Simpson [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 5:23 PM
To: nanog@nanog.org
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip
addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] 

> On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME  iname.com> wrote:
> > Is there a vendor that makes a product that perform spam/malware
> > filtering literally in the network, i.e. as a service provider, 
> > can I provide spam filtering for the enterprises in my customer 
> > base by adding a piece of network gear?  I'm not aware of one 
> > today except those who provide enterprise-oriented gateways like 
> > SonicWall.
>
> Symantec Mail Security / Turntide
> Mailchannels Traffic Control
>
> --srs

BTW, we CAN do "in the cloud" email traffic shaping - on EC2,
ironically. But also on your own equipment if that's your preference.

Regards,
Ken

--
Ken Simpson
CEO

MailChannels - Reliable Email Delivery
http://mailchannels.com
604 685 7488 tel

RE: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Frank Bulk - iNAME]

Right, port 587 would require SMTP authentication.

I'm no routing expert, but can tens of thousands of /32s be excluded using
BGP communities?  

I don't know if spammers are going to be using TLS in a big way soon, though
I'll admit I've not measured.  As long TLS usage is low, examining TCP port
25 traffic would likely be effective without redirecting SMTP traffic and
making it effective for all customers downstream.

Frank

-Original Message-
From: Joel Jaeggli [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 4:06 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

Frank Bulk wrote:
> Thanks.  Even with TLS, the destination port (either 25 or 365) is
> well-known, right, as is the source IP?

And 587 though that's generally your customers, who are going authenticate.

> At the minimum RBLs could be used
> for that encrypted traffic.

Yeah, given that that point you're basically filtering by ip again, you
can do that with a bgp community. That's not really smtp filtering anymore.

> Frank
>
> -Original Message-
> From: Joel Jaeggli [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 23, 2008 2:20 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
> reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
>
> 
>
> dpi boxes from a number of vendors can do that sort of thing... whether
> they can do it fast enough to be inline with your compute cloud is
> another question entirely.
>
> That said the result is fairly perilous when rejecting a message
> involves forging packets. and of course tls supporting mta's will be
> opaque to the network traffic inspecting device.
>
>

Re: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Suresh Ramasubramanian]

On Mon, Jun 23, 2008 at 11:14 PM, Tomas L. Byrnes <[EMAIL PROTECTED]> wrote:
> Barracuda, or you could build the exact same thing using OSS.
>
> Procmail, Spamassasin, ClamAV, and your choice of RBLs (or use
> karmashpere to custom roll a hybrid one).

Hate to point out the obvious, but ... That isnt "network gear" as such.

It is an appliance that'll require repointing of MX records

srs

APNIC dns glitch ?

[Danny Thomas]

I thought I'd sent this a couple of hours ago
APNIC are aware of the problem and
things have partially recovered though the arin and ripe
name-servers still SERVFAIL

the second run of our delegation-checking script this morning
started complaining about our 203.in-addr zones and it seems
there is an issue with apnic.net

the delegation shows 4 entries spread across 3 domains which
is good, albeit all are under the same registry.

Sometimes cumin.apnic.net and innie.apnic.net. are not
reachable, or give a REFUSED response, or give a response
with no A records nor any additional section.

Unfortunately both tinnie.arin.net and ns-sec.ripe.net
return SERVFAIL, as if they had not been able to perform
a zone transfer for a while (assuming AXFR is the replication
mechanism).

I don't have ipv6 connectivity, but that's not likely to help.

I don't think this will significantly impact reverse dns
lookups as I think the dns is spread across other RIR's

seems there was a different type of issue in May
http://www.bauani.org/thinkings/2008/05/issue-with-apnic-dns-nameservers.html

Danny Thomas


# dig @I.GTLD-SERVERS.net apnic.net +norec

; <<>> DiG 9.4.2 <<>> @I.GTLD-SERVERS.net apnic.net +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5460
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5

;; QUESTION SECTION:
;apnic.net. IN  A

;; AUTHORITY SECTION:
apnic.net.  172800  IN  NS  cumin.apnic.net.
apnic.net.  172800  IN  NS  ns-sec.ripe.net.
apnic.net.  172800  IN  NS  tinnie.apnic.net.
apnic.net.  172800  IN  NS  tinnie.arin.net.

;; ADDITIONAL SECTION:
cumin.apnic.net.172800  IN  A   202.12.29.59
ns-sec.ripe.net.172800  IN  A   193.0.0.196
ns-sec.ripe.net.172800  IN  2001:610:240:0:53::4
tinnie.apnic.net.   172800  IN  A   202.12.29.60
tinnie.arin.net.172800  IN  A   168.143.101.18


 dig @202.12.29.59 apnic.net any +norec

; <<>> DiG 9.4.2 <<>> @202.12.29.59 apnic.net any +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33930
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0



# dig @202.12.29.59 apnic.net any

; <<>> DiG 9.4.2 <<>> @202.12.29.59 apnic.net any
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40744
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;apnic.net. IN  ANY

;; ANSWER SECTION:
apnic.net.		3600	IN	SOA	cumin.apnic.net. dns-admin.apnic.net.  
2008062101 3600 1800 604800 3600

apnic.net.  3600IN  NS  cumin.apnic.net.
apnic.net.  3600IN  NS  ns-sec.ripe.net.
apnic.net.  3600IN  NS  tinnie.arin.net.
apnic.net.  3600IN  NS  tinnie.apnic.net.
apnic.net.  3600IN  MX  10 kombu.apnic.net.
apnic.net.  3600IN  MX  25 karashi.apnic.net.
apnic.net.  3600IN  MX  35 fennel.apnic.net.

;; Query time: 3 msec
;; SERVER: 202.12.29.59#53(202.12.29.59)
;; WHEN: Tue Jun 24 10:35:13 2008
;; MSG SIZE  rcvd: 235



 dig @193.0.0.196 apnic.net any +norec

; <<>> DiG 9.4.2 <<>> @193.0.0.196 apnic.net any +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37668
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apnic.net. IN  ANY




# dig @168.143.101.18 apnic.net ns

; <<>> DiG 9.4.2 <<>> @168.143.101.18 apnic.net ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41014
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;apnic.net. IN  NS

Re: Techniques for passive traffic capturing

[Kevin Kadow]

We started out with SPAN ports, then moved on to Netoptics taps.

Lately we've been using a combination of Cisco Netflow (from remote routers),
and native Argus flows (from local taps) where we need more details.

Flows are useful to answer "What happened X minutes/hours/days ago?",
and where you do not need/want to capture full packet bodies
(though with Argus you can choose whether to include payload data).

http://qosient.com/argus/

Re: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Adrian Chadd]

On Tue, Jun 24, 2008, Suresh Ramasubramanian wrote:

> Hate to point out the obvious, but ... That isnt "network gear" as such.
> 
> It is an appliance that'll require repointing of MX records

Please don't tell my test kit at home; Cisco WCCPv2 redirects TCP/25 as easy
as it does TCP/80(*1). No MX rejiggery required.




Adrian

*1: unless you're the lucky owner of specially crafted gems like the Catalyst
3550 - WCCPv2 is limited to port 80 only ..

Happy 25th birthday for DNS

[Hank Nussbacher]

http://www.wired.com/science/discoveries/news/2008/06/dayintech_0623

June 23, 1983: DNS Test Sets Stage for Internet Growth

1983: Paul Mockapetris and Jon Postel run the first successful test of the 
automated, distributed Domain Name System. DNS will lay the foundation for 
the massive expansion, popularization and commercialization of the 
internet.


...

Thanks Paul & Jon!

-Hank

Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Christopher Morrow]

On Mon, Jun 23, 2008 at 10:31 PM, Frank Bulk - iNAME <[EMAIL PROTECTED]> wrote:
> Ken:
>
> Thanks for the info, but that still requires the domain owner to change
> their MX records.  I was wondering if there was something that could
> literally be placed in the flow of traffic, like an FWSM in transparent
> mode.
>

That probably depends a lot on the topology in question... Doing it on
'ethernet' is far different from doing it on T1 over ATM or
channelized oc-48... A Checkpoint FW can do this sort of thing with a
'security server' (though performance is certainly a question...).

I think you're also always stuck in a store-and-forward mode so 'on
the wire' isn't really helpful for SMTP, often you can't make a
decision about an email without getting a large portion of it down, so
snuffing connections mid-stream isn't going to help your email infra
very much :(

-Chris

> Frank
>
> -Original Message-
> From: Ken Simpson [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 23, 2008 5:23 PM
> To: nanog@nanog.org
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip
> addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
>
>> On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME > iname.com> wrote:
>> > Is there a vendor that makes a product that perform spam/malware
>> > filtering literally in the network, i.e. as a service provider,
>> > can I provide spam filtering for the enterprises in my customer
>> > base by adding a piece of network gear?  I'm not aware of one
>> > today except those who provide enterprise-oriented gateways like
>> > SonicWall.
>>
>> Symantec Mail Security / Turntide
>> Mailchannels Traffic Control
>>
>> --srs
>
> BTW, we CAN do "in the cloud" email traffic shaping - on EC2,
> ironically. But also on your own equipment if that's your preference.
>
> Regards,
> Ken
>
> --
> Ken Simpson
> CEO
>
> MailChannels - Reliable Email Delivery
> http://mailchannels.com
> 604 685 7488 tel
>
>
>
>
>
>
>
>

Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Joel Jaeggli]

Frank Bulk - iNAME wrote:

Right, port 587 would require SMTP authentication.

I'm no routing expert, but can tens of thousands of /32s be excluded using
BGP communities?  


The sort of depends on how many fib entries you want to burn on not 
forwarding traffic...


the argument in this thread however (which I more or less subcribe to) 
is that in the future an ip address is insufficient granularity for mail 
/badness filtering. Frankly it's not just computer clouds but also 
address pressure, a million hosts behind a /24 are going to be rather 
hard to pick out one at a time. ultimately the ability blackhole based 
on something as gross as the source ip address is going to be 
insufficiently fine grained for devices that must accept connections 
from the internet at large.



I don't know if spammers are going to be using TLS in a big way soon, though
I'll admit I've not measured.


A couple years ago, when my former employer turned on tls support on the 
outwardly facing mta's about 10% of our incoming smtp connections 
immediately started using it after ehlo. That's not something I've kept 
track of but I imagine it's an issue.



As long TLS usage is low, examining TCP port
25 traffic would likely be effective without redirecting SMTP traffic and
making it effective for all customers downstream.

Frank

-Original Message-
From: Joel Jaeggli [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2008 4:06 PM

To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

Frank Bulk wrote:

Thanks.  Even with TLS, the destination port (either 25 or 365) is
well-known, right, as is the source IP?


And 587 though that's generally your customers, who are going authenticate.


At the minimum RBLs could be used
for that encrypted traffic.


Yeah, given that that point you're basically filtering by ip again, you
can do that with a bgp community. That's not really smtp filtering anymore.


Frank

-Original Message-
From: Joel Jaeggli [mailto:[EMAIL PROTECTED]
Sent: Monday, June 23, 2008 2:20 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]



dpi boxes from a number of vendors can do that sort of thing... whether
they can do it fast enough to be inline with your compute cloud is
another question entirely.

That said the result is fairly perilous when rejecting a message
involves forging packets. and of course tls supporting mta's will be
opaque to the network traffic inspecting device.

Re: Cloud service [was: RE: EC2 and GAE means end of ip

[Joel M Snyder]

Date: Mon, 23 Jun 2008 20:47:17 -0700
From: Joel Jaeggli <[EMAIL PROTECTED]>
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip
address reputation  industry? (Re: Intrustion attempts from Amazon 
EC2
IPs)]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed



the argument in this thread however (which I more or less subcribe to) 
is that in the future an ip address is insufficient granularity for mail 
/badness filtering. Frankly it's not just computer clouds but also 
address pressure, a million hosts behind a /24 are going to be rather 
hard to pick out one at a time. ultimately the ability blackhole based 
on something as gross as the source ip address is going to be 
insufficiently fine grained for devices that must accept connections 
from the internet at large.


Ummm, probably not as big of a problem as you might think it is.  From the point 
of view of an email administrator, those million hosts behind the /24 are all 
going to be on the Spamhaus PBL (policy block list) and it doesn't matter 
whether there are 10 or 10,000 or 10,000,000 hosts if the ISP has said "these 
are residential subscribers and they shouldn't be sending mail."  Whether you 
believe in PBL or not, generally, it's going to be end users who are clustered 
behind those NATs more so than MTAs.  Similarly, I don't see a huge incentive 
for someone to move their MTA to services like EC2--although anti-spam services 
'in the cloud' like Postini are very popular, but that's a different issue.


In our month-by-month anti-spam testing over the past 3 years, the number of 
unique email senders (MTAs, not individuals mind you) has actually dropped a 
bit; if you use the domain name as exposed in HELO/EHLO, it's dropped even more. 
 While there will always be small MTAs out there handling small numbers of 
people, the trend has been to throttle that mail through larger systems. 
Sometimes this is done transparently/semi-transparently by the ISP ("you will 
send your mail through our SMTP server") using either a simple port 25 block or 
something like transparent destination NAT/WCCP.  In other cases, this happens 
because small companies are discovering that their oh-so-exciting Exchange 
server is more of a pain in the ass than using commercial Gmail or whatever.


SMTP is a special case in this discussion, I'll immediately admit.  The number 
of hosts offering up web pages (assuming you want to filter for malware of some 
sort) is going nothing but up.  Reputation services will be more challenged in 
that environment than in the SMTP environment.





I don't know if spammers are going to be using TLS in a big way soon, though
I'll admit I've not measured.


A couple years ago, when my former employer turned on tls support on the 
outwardly facing mta's about 10% of our incoming smtp connections 
immediately started using it after ehlo. That's not something I've kept 
track of but I imagine it's an issue.


Today's number for delivery using SSL by our mail cluster is 7% of just shy of 
80K messages.  Goes up, goes down, but definitely non-zero.





As long TLS usage is low, examining TCP port
25 traffic would likely be effective without redirecting SMTP traffic and
making it effective for all customers downstream.


That actually turns out to be a non-problem from the SMTP point of view.  A 
"mean" ISP could simply intercept the response to EHLO and drop out the TLS 
capability string.  A "nice" ISP could simply make up a certificate on the fly. 
 Since SMTP senders don't have a GUI box to click during the SMTP transaction 
when a certificate doesn't check out, most (read as: all configured with default 
settings) of them simply send anyway even if the certificate smells like 
week-old fish.  Put it another way: I ran (accidentally) for two years with an 
expired certificate on one of our mail servers and didn't get a single peep 
about misbehaving mail.


But most of this discussion has been about reputation services, and of course 
those operate beautifully with or without TLS in the SMTP case.


jms


--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One   Phone: +1 520 324 0494
[EMAIL PROTECTED]http://www.opus1.com/jms

RE: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

[Frank Bulk - iNAME]

Source IP blocking makes up a large portion of today's spam arrest approach,
so we shouldn't discount the CPU benefits of that approach too quickly.  

I'm not sure where today's technology is in regards for caching the first 1
to 10kB of a sessiononce enough information is garnered to block, issue
TCP RSETs.  If it's good, free the contents of the cache.

Frank

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Christopher Morrow
Sent: Monday, June 23, 2008 10:45 PM
To: [EMAIL PROTECTED]
Cc: Ken Simpson; nanog@nanog.org
Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip address
reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]

On Mon, Jun 23, 2008 at 10:31 PM, Frank Bulk - iNAME <[EMAIL PROTECTED]>
wrote:
> Ken:
>
> Thanks for the info, but that still requires the domain owner to change
> their MX records.  I was wondering if there was something that could
> literally be placed in the flow of traffic, like an FWSM in transparent
> mode.
>

That probably depends a lot on the topology in question... Doing it on
'ethernet' is far different from doing it on T1 over ATM or
channelized oc-48... A Checkpoint FW can do this sort of thing with a
'security server' (though performance is certainly a question...).

I think you're also always stuck in a store-and-forward mode so 'on
the wire' isn't really helpful for SMTP, often you can't make a
decision about an email without getting a large portion of it down, so
snuffing connections mid-stream isn't going to help your email infra
very much :(

-Chris

> Frank
>
> -Original Message-
> From: Ken Simpson [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 23, 2008 5:23 PM
> To: nanog@nanog.org
> Subject: Re: Cloud service [was: RE: EC2 and GAE means end of ip
> addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
>
>> On Mon, Jun 23, 2008 at 6:01 PM, Frank Bulk - iNAME > iname.com> wrote:
>> > Is there a vendor that makes a product that perform spam/malware
>> > filtering literally in the network, i.e. as a service provider,
>> > can I provide spam filtering for the enterprises in my customer
>> > base by adding a piece of network gear?  I'm not aware of one
>> > today except those who provide enterprise-oriented gateways like
>> > SonicWall.
>>
>> Symantec Mail Security / Turntide
>> Mailchannels Traffic Control
>>
>> --srs
>
> BTW, we CAN do "in the cloud" email traffic shaping - on EC2,
> ironically. But also on your own equipment if that's your preference.
>
> Regards,
> Ken
>
> --
> Ken Simpson
> CEO
>
> MailChannels - Reliable Email Delivery
> http://mailchannels.com
> 604 685 7488 tel
>
>
>
>
>
>
>
>

Re: Australian Co-Lo

[McDonald Richards]

AAPT are pretty far from being carrier neutral these days

On Tue, Jun 24, 2008 at 11:34 AM, Julien Goodwin <[EMAIL PROTECTED]>
wrote:

> On 24/06/08 01:04, Martin Barry wrote:
> > $quoted_author = "Bernard Becker" ;
> >> Looking for recommendations for carrier neutral co-lo facility for
> Melbourne
> >> Australia. Our searches so far seem to turn up sites either on Telstra
> or
> >> Optus affiliated co-lo facilities. We need to be in a carrier neutral
> space
> >> with access to any of the major providers.
> >
> > This was created by a SAGE-AU member in response to a similar request.
> >
> >
> http://maps.google.com/maps/ms?msa=0&msid=117984623075363696099.000439d39e1c7bd8d46c2&ie=UTF8&z=12
>
> In addition to those there's the PIPE and AAPT
>
> http://www.pipenetworks.com/Telehousing/locations.shtml
>
>
> http://aaptbusiness.com.au/business/products/Hosting/Co2DlocationServices.cfm?o=214
>
> Both are ISP's, but have extensive cross connections.
>
> We currently use AAPT (10+ racks in Richmond), and I've previously used
> Global Center and been happy with both.
>
>