nanog mailing list archives
Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
From: Troy Davis <troy () yort com>
Date: Sun, 22 Jun 2008 11:23:37 -0700
Paul Vixie wrote:
with EC2, it's game-over for the IP reputation industry, other than possibly lists of dynamic IP blocks (modems, DSL, etc) from which SMTP ought not come. but for the wider IP address space, we now return to content based filtering, and i predict a mighty increase in the number of pink contracts in colo rooms. (the silver lining is, this could reduce pressure on BGP piracy/injection.)
I'm not sure that shared resources are impossibly tied to anonymity, at least when connectivity goes through a single entity. That entity is motivated to increase usage, to help its customers expose their own reputation (good or bad), and to host more complex services where this concern comes up. AWS already tracks VM instances and their internal IP allocations. They recently added "elastic IPs," which are assigned to a customer rather than a specific instance. To the rest of the world, they're static IPs. AWS could expose rwhois for those elastic IPs, or delegate from different shared and elastic blocks. Folks who care about establishing trust would choose elastic IPs. And while tracking NAT state for every connection would be painful, a few thoughtful choices could go a long way -- Pareto principle or even 95/5. For example, track instances w/more than 50 open outbound connections to dport 25; those trying to transmit a packet with a spoofed source address (ever); and count or rate-limit SYNs per internal instance IP. I could also see AWS allowing customers to translate all outgoing traffic to single customer-specific elastic IP, or even requiring it in order to generate certain traffic profiles (quantity, velocity, protocol, content). There's big design considerations here - points of egress/translation, EC2 availability zones - but they aren't insurmountable. Since the IP is already allocated to the customer, AWS could allow them to set a reverse DNS entry under their domain (and forward would match). Though GAE's shared architecture creates a bit more of a challenge, it's still not impossible. As it happens, GAE doesn't currently support many of the features that are most useful to abusers (like raw sockets), and may never. So the problems that prevent identifying a source entity also prevent abuse in the first place. Anyway, Amazon and Google are motivated and innovative, so I wouldn't write it off. Troy
Current thread:
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs), (continued)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Al Iverson (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steven Champeon (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Ken Simpson (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Deepak Jain (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Valdis . Kletnieks (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) William Herrin (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Tomas L. Byrnes (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Troy Davis (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Jim Popovitch (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Randy Bush (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steve Gibbard (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Suresh Ramasubramanian (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Roland Dobbins (Jun 22)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Dustin Jurman (Jun 22)
- Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Frank Bulk - iNAME (Jun 23)
- Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Suresh Ramasubramanian (Jun 23)