EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Troy Davis troy at yort.com
Sun Jun 22 18:23:37 UTC 2008


Paul Vixie wrote:

> with EC2, it's game-over for the IP reputation industry, other than
> possibly lists of dynamic IP blocks (modems, DSL, etc) from which SMTP
> ought not come.  but for the wider IP address space, we now return to
> content based filtering, and i predict a mighty increase in the number of
> pink contracts in colo rooms.  (the silver lining is, this could reduce
> pressure on BGP piracy/injection.)

I'm not sure that shared resources are impossibly tied to anonymity, at
least when connectivity goes through a single entity.  That entity is
motivated to increase usage, to help its customers expose their own
reputation (good or bad), and to host more complex services where this
concern comes up.

AWS already tracks VM instances and their internal IP allocations.  They
recently added "elastic IPs," which are assigned to a customer rather
than a specific instance.  To the rest of the world, they're static IPs.
 AWS could expose rwhois for those elastic IPs, or delegate from
different shared and elastic blocks.  Folks who care about establishing
trust would choose elastic IPs.

And while tracking NAT state for every connection would be painful, a
few thoughtful choices could go a long way -- Pareto principle or even
95/5.  For example, track instances w/more than 50 open outbound
connections to dport 25; those trying to transmit a packet with a
spoofed source address (ever); and count or rate-limit SYNs per internal
instance IP.

I could also see AWS allowing customers to translate all outgoing
traffic to single customer-specific elastic IP, or even requiring it in
order to generate certain traffic profiles (quantity, velocity,
protocol, content).

There's big design considerations here - points of egress/translation,
EC2 availability zones - but they aren't insurmountable.  Since the IP
is already allocated to the customer, AWS could allow them to set a
reverse DNS entry under their domain (and forward would match).

Though GAE's shared architecture creates a bit more of a challenge, it's
still not impossible.  As it happens, GAE doesn't currently support many
of the features that are most useful to abusers (like raw sockets), and
may never.  So the problems that prevent identifying a source entity
also prevent abuse in the first place.

Anyway, Amazon and Google are motivated and innovative, so I wouldn't
write it off.

Troy




More information about the NANOG mailing list