EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Paul Vixie paul at
Sun Jun 22 17:34:32 UTC 2008

hi andy.

> > with EC2, it's game-over for the IP reputation industry,
> I was discussing this on an e-commerce practitioners list earlier today, and
> argued basically that, from an abuse point of view, EC2 is the same as any
> other bad neighborhood, and that operators needing to make impact fast, will
> treat it as they do any other bad neighborhood.

i wish i agreed.  a bad neighborhood that's mostly access customers or mostly
small businesses can be dealt with by address.  but if it's mostly services
and most of those are things your own customers want to reach and many of
those are large, then the leverage is on the wrong end of the stick.

if we lived in an ipv6 world, such that every EC2/GAE customer had its own
dedicated IP address, not to be reused within a five year span, then blocking
by IP address would remain practical, even though blocking by IP prefix or ASN
is still ruled out.  but in an ipv4 world where IP addresses are too precious
to dedicate or retire on a per-customer basis, i don't see any large eyeball
network subscribing to any IP reputation service who lists any part of EC2's
address space.

the problem with this model change is deeper than "we'll all get more spam".
in i wrote that:

	If you're an Internet user in a bad neighborhood -- as evidenced by
	your mail not getting through to a lot of people, who then tell you
	that they're blocking all mail from your ISP since there's effectively
	no abuse desk -- but you're unable/uninterested in operating your own
	secure computer in some remote facility, then you'll need to locate a
	provider who can offer you a suite of services like e-mail and web
	hosting, who does not also offer those services to spammers and script
	It's worth pointing out that a "better neighborhood" might also have
	as its customers people whose content is objectionable to you, for
	example, it might also host a lot of web sites offering politics, or
	pornography, or alternative lifestyles, or alternative energy, or who
	knows what-all. Don't worry about this. Some of the neighborhoods on
	the Internet whose reputations are strongest, are the ones with the
	most diverse customer bases. The point is, don't let your local cable
	or DSL spam-haven offer you an e-mail account, or web publishing
	services, or anything else that they can't afford to support. As a
	rule of thumb, $40 per month is not enough money to pay for an abuse
	desk; and without a strong, well trained abuse desk, the neighborhood
	will be "bad".

among the distinctions being blurred by the EC2/GAE model, there is no longer
going to be a competitive advantage for companies with fully funded abuse
desks.  if i'm right AOL/COX/Comcast cannot afford to blackhole EC2/GAE or to
subscribe to any IP reputation service who blackholes EC2/GAE, then the level
of inbound abuse these networks will treat as inevitable is going to rise to
the point where the effective difference between the IP reputation of an ISP
who signs pink contracts and/or has no abuse desk vs. an ISP who keeps out the
bad guys and fully funds their abuse desk will be approximately Nil.  without
the ability to differentiate on this basis, a new lowest common denominator
will be found as "good" ISPs are driven out of the margin by "bad" ISP's.

jcurran's point that amazon may be forced to police itself if it becomes home
to P2P networks hosting DMCA-taggable content is interesting.  this could mean
that amazon will have to re-price EC2 to include some policing costs, just to
protect its executives and shareholders.  the devil will be in the details --
if this is the path we all go down together, then amazon will still have to
control its costs, and that'll mean picking the smallest possible list of
things they'll police, and i don't think SSH port knocking or botnet C&C or
open proxies will make *that* list, because they can manage those underlying
risks at lower cost on the back end than on the front end.

so in addition to ending an era, EC2/GAE/similar are beginning a new one in
which the debate about the definition of acceptable use becomes multilateral
rather than just a series of bilateral or unilateral agreements and actions.
that is the other "silver lining" in all this.  if distributed computing is
a necessary utility then it may become a public utility and so EC2/GAE could
spawn an "internet public utilities commission" at the state or federal level.
and while i wouldn't like to see FCC-style "morality policing" of content, i
think that if big companies are going to create public nuisances for what are
perfectly valid business reasons, they should either pre-regulate or expect
to be post-regulated.


More information about the NANOG mailing list