EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Nathan Ward nanog at
Mon Jun 23 05:41:07 UTC 2008

Hash: SHA1

On 23/06/2008, at 4:17 AM, Paul Vixie wrote:
> as randy bush often says, "it's just business."  amazon has solid  
> business
> reasons for creating EC2 and there's no way it could be profitable  
> if they
> can't scale the user base, and there's no way to scale the user base  
> if
> they have to police it at the application or "intent" level.  so,  
> i'm not
> whining, just pointing out that this is a sea change, the end of an  
> era.

Seems to me that blocking outgoing messages to 22/TCP should be easy  
enough. I'm sure there's some convoluted case where might be needed,  
but my guess is that losing those few customers would be worth the  
return in "trust". Not that the case where this is legitimate is very  
small - we're talking about a web app connecting to SSH servers that  
are outside the administrative control of the owner of the web app, as  
if they were in the same administrative control it would be trivial to  
run it on alternative ports.

Same goes for SMTP, but provide mail relays that let you send messages  
only from domains you have registered with EC2 - should be easy enough  
to validate ownership - scan whois for email addresses, and send them  
"Person X has asked to send mail from this domain, please pass this  
message on to them. $verification_url".

Sure there's other bad things that people are going to use this  
service for, but these seem to be the obvious ones that are easy to  
limit without big disruptions.

Do 'normal' web hosting providers allow customer created scripts to  
create TCP sessions out to arbitrary things?

- --
Nathan Ward

Version: GnuPG v1.4.7 (Darwin)


More information about the NANOG mailing list