EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Paul Vixie paul at
Sun Jun 22 18:48:03 UTC 2008

> From: Troy Davis <troy at>
> ...
> AWS already tracks VM instances and their internal IP allocations.  They
> recently added "elastic IPs," which are assigned to a customer rather
> than a specific instance.  To the rest of the world, they're static IPs.

abusers don't have specific identities.  they will find out the minimum level
of identity-checking they have to spoof, and spoof that.  stolen credit cards,
throwaway domains, free e-mail accounts, and so on.  before they get disco'd
they already have their next instance set up and ready to go.  the game is to
live in the time margin of the ISP's reaction time, so that each fake identity
gets a predictable amount of time and resources before it's stopped/abandoned.

this is why during my time running MAPS, i focused on fully funded abuse desks
with the power to suspend or disconnect in real time, 24x7, pending management
review.  warning policies or management approval increased the guaranteed
minimum useful lifetime of a fake hosting customer identity to the point where
there was no benefit in sending that ISP complaints at all.  some ISPs went to
extreme lengths to tie fake identities together so as to increase the up-front
costs of serial abusers, but this inevitably raised their overall costs and
also their acquisition costs for non-abusive customers, and the only thing that
kept those increased costs from making these ISPs noncompetitive was that their
reputation would be better, and a better reputation had an offsetting benefit.

given that an static IP's reputation has inertia, and it takes days or weeks
or sometimes years for a "bad IP" to get its reputation cleaned up enough for
it to be reused, there's a window here where the pool of IP's EC2 can churn
through if it assigned them statically to potentially abusive customers may
not be large enough to also accomodate the new non-abusive load during the
period they want that churn-pool to cover.  and they'll have clean-up costs
in resetting the reputation of previously abused IP's, with a natural tendancy
of IP reputation services to think that amazon, as a large company, is doing
the absolute minimum work nec'y to prevent serial abuse, such that inertia for
EC2 addresses is likely to be effectively higher than for non-EC2 addresses.

> ...
> Anyway, Amazon and Google are motivated and innovative, so I wouldn't write
> it off.
> Troy

amazon and google are also large and profitable, and they know how to manage
their risks and costs to the maximum benefit of their shareholders and their
customers.  this is a variation on "good, fast, or cheap: choose two".  for
something like EC2 to be a financial success, it has to scale, and the trade-
offs that make scale possible also create dark corners and loopholes in which
abusers can thrive.  reputation systems have generally not scaled well, but
they'll still be possible, based on content, domain name, digital signatures,
webs of trust, that kind of thing.  just not IP addresses like in the old days.


More information about the NANOG mailing list