

Using temporary IPs in the cloud considered harmful - maconic

Here's an amusing hobby:
1. Start Amazon EC2 instances (or any other cloud service)
2. Use something like honeyd to listen on all ports
3. Wait for random activity associated with the previous owner of the EC2 instance to start flowing in.<p>I stumbled across this by accident after getting flooded by connections from apps.facebook.com which seems to be trying to interact with a Facebook app that was previously hosted on an IP which I'm now using. Presumably the previous owner of an EC2 instance had a DNS name that resolved to this IP and didn't see the risks of doing so. Remember: the Amazon public IPs are <i>temporary</i> and will be reassigned once the EC2 instance stops or dies.<p>For the sake of your users' privacy and security, <i>use Elastic IPs</i>. Even if the instance dies, the Elastic IP still belongs to you and won't be accidentally be reassigned to someone else. When you start up a new instance you can have the Elastic IP assigned to the new instance using ec2-associate-address.
======
brettnak
Am I the only one who get's frustrated by 'considered harmful' titles? Sorry
for being off topic.

EDIT: I'll give you that it's not as bad as the whole (win|fail|this) thing
that's becoming popular.

~~~
slioslat
"x considered harmful" considered harmful

~~~
mschy
<http://meyerweb.com/eric/comment/chech.html>

~~~
ubernostrum
"'x considered harmful' considered harmful" considered harmful.

Also, I have anti-anti-anti-missile-missile-missile missiles.

------
prodigal_erik
For the sake of your users' privacy and security, use TLS (or IPSec) and a
certificate that identifies your server. Anything sent in the clear is
vulnerable to eavesdropping and tampering, whether or not the destination IPv4
address appears to be under your control.

~~~
eli
That's not always practical if you're interacting with another service like
Facebook that won't know to check.

------
tptacek
You should make a web site with examples or a report of the kinds of traffic
you get. I'd do it, and get a zillion hits on it and probably some press
attention, but it's your idea.

You have a really good point.

~~~
viraptor
A cloud version of the Museum of Broken Packets?
<http://lcamtuf.coredump.cx/mobp/> It could be interesting. Especially if you
can identify some random proprietary/custom protocols.

------
wooster
I still get requests to my dedicated server at Softlayer for the Facebook app
which used it before me. I've had the server since mid-2008. Really, this
seems like a problem on Facebook's side.

The bigger problem is trying to run a mail server on EC2. You can't, really,
as a lot of providers are still doing (stupid) IP based filtering.

~~~
qjz
I've been permanently blocking all connections from any AWS/EC2 netblock I
identify after an initial exploit attempt. I much prefer temporary blocks
triggered by bad behaviour, but the constant onslaught from AWS finally got to
be too much. In the last several months, blocking AWS has done more good than
harm. I don't seem to be blocking any legitimate traffic or users, just badly
behaved startups and downright malicious crackers. It was a tough compromise,
but so far it doesn't seem stupid.

~~~
patio11
Right.

Email has essentially converged on a patchwork ad-hoc net-wide implementation
of a few of the proposals lampooned in the famous Slashdot copy/paste thing.
Small businesses who are serious about getting their mail delivered pay what
amounts to a delivery tax. The difference is it is not actually a tax, it is
just a per-piece rate paid to a mailing service that keeps up with all the SPF
records, feedback loops, blacklist monitoring, etc for us. However, considered
from the perspective of the firm, it is essentially a tax, and it means that
people paying a penny or two per email end up trustworthy. Everyone else is
left in the email wild west, where they either have massive amounts of
physical and reputational capital (Amazon et al) and get their mail accepted
for free, or they're almost certainly trying to spam you (statistically
speaking).

This is strongly related to strong centralization of email. I just had my
20,000th email submitted yesterday. Of those 20k, over 12k belong to just 10
domains. Even that overstates the diversity of spam squashing strategies,
since most of the domains eventually use the same RBLs, etc.

~~~
viraptor
> "Everyone else is left in the email wild west"

In my experience some anti-spam organisations seem to want to keep that area
wild. Or they just don't see the standard problems from their high horses. I
get most of my servers listed as dynamic at least twice a year just because
the ISP happens to provide residential dynamic DSL in the same netblock. And I
can't change the rDNS of course, because the ISP doesn't allow it for people
with ranges smaller than /28. Good luck explaining the situation to sorbs or
people who block based on sorbs' dynamic list unconditionally.

~~~
sailormoon
Yeah that sucks. But you have to admit their reasoning is pretty sound.

The minimum "credible" IP suitable for duty as an email server is probably a
cheap VPS somewhere.

~~~
mschy
I've had /23s and /22s listed as dynamic incorrectly, and anti-spam
organizations wouldn't take them off even when they were either SWIPd through
to my company, or were in my ASN.

Getting off the lists is an enormous pain in the ass. They make absurd
demands, like changing the rDNS on every single IP in the block to contain the
word static.... as though breaking rDNS is a good idea.

~~~
sailormoon
Argh. Well that's pretty indefensible. There must be some reason, though - you
probably had the bad luck to take over a block that had previously been
blacklisted.

That "static" thing is just stupid. God I wish ISPs would just standardise on
putting "dyn" into the rDNS of their dynamic IPs though. That would solve so
many problems.

~~~
mschy
_you probably had the bad luck to take over a block that had previously been
blacklisted._

That's exactly what happened. It was apparently dial-up space many years ago.

I say many, because the space in question has been under my control since
2005, and it's STILL on the dynamic ip list, despite a roughly annual attempt
to get de-listed.

