nanog mailing list archives
Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
From: Paul Vixie <paul () vix com>
Date: Sun, 22 Jun 2008 18:48:03 +0000
From: Troy Davis <troy () yort com> ... AWS already tracks VM instances and their internal IP allocations. They recently added "elastic IPs," which are assigned to a customer rather than a specific instance. To the rest of the world, they're static IPs.
abusers don't have specific identities. they will find out the minimum level of identity-checking they have to spoof, and spoof that. stolen credit cards, throwaway domains, free e-mail accounts, and so on. before they get disco'd they already have their next instance set up and ready to go. the game is to live in the time margin of the ISP's reaction time, so that each fake identity gets a predictable amount of time and resources before it's stopped/abandoned. this is why during my time running MAPS, i focused on fully funded abuse desks with the power to suspend or disconnect in real time, 24x7, pending management review. warning policies or management approval increased the guaranteed minimum useful lifetime of a fake hosting customer identity to the point where there was no benefit in sending that ISP complaints at all. some ISPs went to extreme lengths to tie fake identities together so as to increase the up-front costs of serial abusers, but this inevitably raised their overall costs and also their acquisition costs for non-abusive customers, and the only thing that kept those increased costs from making these ISPs noncompetitive was that their reputation would be better, and a better reputation had an offsetting benefit. given that an static IP's reputation has inertia, and it takes days or weeks or sometimes years for a "bad IP" to get its reputation cleaned up enough for it to be reused, there's a window here where the pool of IP's EC2 can churn through if it assigned them statically to potentially abusive customers may not be large enough to also accomodate the new non-abusive load during the period they want that churn-pool to cover. and they'll have clean-up costs in resetting the reputation of previously abused IP's, with a natural tendancy of IP reputation services to think that amazon, as a large company, is doing the absolute minimum work nec'y to prevent serial abuse, such that inertia for EC2 addresses is likely to be effectively higher than for non-EC2 addresses.
... Anyway, Amazon and Google are motivated and innovative, so I wouldn't write it off. Troy
amazon and google are also large and profitable, and they know how to manage their risks and costs to the maximum benefit of their shareholders and their customers. this is a variation on "good, fast, or cheap: choose two". for something like EC2 to be a financial success, it has to scale, and the trade- offs that make scale possible also create dark corners and loopholes in which abusers can thrive. reputation systems have generally not scaled well, but they'll still be possible, based on content, domain name, digital signatures, webs of trust, that kind of thing. just not IP addresses like in the old days. paul
Current thread:
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs), (continued)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steven Champeon (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Ken Simpson (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Deepak Jain (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Valdis . Kletnieks (Jun 24)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) William Herrin (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Valdis . Kletnieks (Jun 23)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Tomas L. Byrnes (Jun 23)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Troy Davis (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Jim Popovitch (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Randy Bush (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Steve Gibbard (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Paul Vixie (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Suresh Ramasubramanian (Jun 22)
- Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs) Roland Dobbins (Jun 22)
- RE: EC2 and GAE means end of ip address reputation industry? (Re:Intrustion attempts from Amazon EC2 IPs) Dustin Jurman (Jun 22)
- Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Frank Bulk - iNAME (Jun 23)
- Re: Cloud service [was: RE: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Suresh Ramasubramanian (Jun 23)
- RE: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)] Tomas L. Byrnes (Jun 23)