EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)
lear at cisco.com
Mon Jun 23 02:02:04 CDT 2008
Let's go back to the case and point: Amazon is claimed not to behave as
a good Netizen.[*] In these circumstances we have to ask why the
traditional system doesn't work. This is precisely the case when you
want to ding someone's reputation. Your argument that many good
applications will be running to counterbalance the bad depends on
whether those running the good applications will tolerate intermittent
outages because the bad applications cause the sites to get blacklisted.
Also, let's remember that reputation means different things in different
contexts. One could easily envision a cloud having a good web
reputation and a lousy or at best neutral email reputation.[**] In
addition, the risks of infection are also very different. In the web
case, if a host connects to a known infected site, its risk of becoming
infected is very high, compared to the risk of someone receiving an
email message that points to spam. This means to me that end users who
are protecting themselves with some sort of web reputation service are
likely to guard against clouds and not quickly whitelist them.
But there's also the possibility for web reputation services to improve
granularity above and beyond the IP address, but this depends on quite a
number of things, such as whether SSL is used and where and how
information is collected by the services.[***]
And so the question boils down to this: will Amazon and its ilk adapt to
the current reputation services model or will it be the other way
around? I think it will be both, but more the former than the latter.
[*] Not my claim.
[**] Email reputation is commonly applied to messages and to TCP/25.
For our purposes, although it's overly simplistic, let's view web
reputation as everything else.
[***] Self-signed certs are a clearly interesting area to consider when
it comes to THEIR reputations. The same can be said for any X.509 CA
that itself doesn't do a good job of confirming the identity of a
requestor. I don't suggest that this should be a sole input or even a
significant discriminator in and of itself, of course.
More information about the NANOG