North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

  • From: Nathan Ward
  • Date: Mon Jun 23 01:41:20 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23/06/2008, at 4:17 AM, Paul Vixie wrote:
as randy bush often says, "it's just business." amazon has solid business
reasons for creating EC2 and there's no way it could be profitable if they
can't scale the user base, and there's no way to scale the user base if
they have to police it at the application or "intent" level. so, i'm not
whining, just pointing out that this is a sea change, the end of an era.

Seems to me that blocking outgoing messages to 22/TCP should be easy enough. I'm sure there's some convoluted case where might be needed, but my guess is that losing those few customers would be worth the return in "trust". Not that the case where this is legitimate is very small - we're talking about a web app connecting to SSH servers that are outside the administrative control of the owner of the web app, as if they were in the same administrative control it would be trivial to run it on alternative ports.


Same goes for SMTP, but provide mail relays that let you send messages only from domains you have registered with EC2 - should be easy enough to validate ownership - scan whois for email addresses, and send them "Person X has asked to send mail from this domain, please pass this message on to them. $verification_url".

Sure there's other bad things that people are going to use this service for, but these seem to be the obvious ones that are easy to limit without big disruptions.

Do 'normal' web hosting providers allow customer created scripts to create TCP sessions out to arbitrary things?

- --
Nathan Ward




-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)

iQEVAwUBSF83c6hXB4ariYS3AQIBzAgAqiWxzvBjTfjzuf1GyE+PM9doF2S11d94
eKlWGeSjzqob2onSYbm46ffUNTkLQdwkt/jKRDS9eIk7nR7/5OWH9Mg9xkBR5uyu
KndZyJgToHSA50TcpCjop3EXACjnufod7ZxTW0PZgVjAYU8cD7qfvXEBzcNuBxKH
nZfe0gRuNL/swcArseXUxkL1Sf0qPRykc5nJOPQ0LHcjdoyZoAKlCqPerFVYjldz
lOcTFtWMbBDNAUxAy2/ue2hv+K8VGMjC4JPGFdpFqDcumex86sagRJBcA8VbGY25
RkgPdLG41AUDtTGwuAnC3BQclsBcwlZRp4l/DDQYl+CVfPfU9+kuDw==
=m6z6
-----END PGP SIGNATURE-----