hi andy.
with EC2, it's game-over for the IP reputation industry,
I was discussing this on an e-commerce practitioners list earlier today, and argued basically that, from an abuse point of view, EC2 is the same as any other bad neighborhood, and that operators needing to make impact fast, will treat it as they do any other bad neighborhood.
i wish i agreed. a bad neighborhood that's mostly access customers or mostly small businesses can be dealt with by address. but if it's mostly services and most of those are things your own customers want to reach and many of those are large, then the leverage is on the wrong end of the stick. if we lived in an ipv6 world, such that every EC2/GAE customer had its own dedicated IP address, not to be reused within a five year span, then blocking by IP address would remain practical, even though blocking by IP prefix or ASN is still ruled out. but in an ipv4 world where IP addresses are too precious to dedicate or retire on a per-customer basis, i don't see any large eyeball network subscribing to any IP reputation service who lists any part of EC2's address space. the problem with this model change is deeper than "we'll all get more spam". in http://www.vix.com/personalcolo/ i wrote that: If you're an Internet user in a bad neighborhood -- as evidenced by your mail not getting through to a lot of people, who then tell you that they're blocking all mail from your ISP since there's effectively no abuse desk -- but you're unable/uninterested in operating your own secure computer in some remote facility, then you'll need to locate a provider who can offer you a suite of services like e-mail and web hosting, who does not also offer those services to spammers and script kiddies. ... It's worth pointing out that a "better neighborhood" might also have as its customers people whose content is objectionable to you, for example, it might also host a lot of web sites offering politics, or pornography, or alternative lifestyles, or alternative energy, or who knows what-all. Don't worry about this. Some of the neighborhoods on the Internet whose reputations are strongest, are the ones with the most diverse customer bases. The point is, don't let your local cable or DSL spam-haven offer you an e-mail account, or web publishing services, or anything else that they can't afford to support. As a rule of thumb, $40 per month is not enough money to pay for an abuse desk; and without a strong, well trained abuse desk, the neighborhood will be "bad". among the distinctions being blurred by the EC2/GAE model, there is no longer going to be a competitive advantage for companies with fully funded abuse desks. if i'm right AOL/COX/Comcast cannot afford to blackhole EC2/GAE or to subscribe to any IP reputation service who blackholes EC2/GAE, then the level of inbound abuse these networks will treat as inevitable is going to rise to the point where the effective difference between the IP reputation of an ISP who signs pink contracts and/or has no abuse desk vs. an ISP who keeps out the bad guys and fully funds their abuse desk will be approximately Nil. without the ability to differentiate on this basis, a new lowest common denominator will be found as "good" ISPs are driven out of the margin by "bad" ISP's. jcurran's point that amazon may be forced to police itself if it becomes home to P2P networks hosting DMCA-taggable content is interesting. this could mean that amazon will have to re-price EC2 to include some policing costs, just to protect its executives and shareholders. the devil will be in the details -- if this is the path we all go down together, then amazon will still have to control its costs, and that'll mean picking the smallest possible list of things they'll police, and i don't think SSH port knocking or botnet C&C or open proxies will make *that* list, because they can manage those underlying risks at lower cost on the back end than on the front end. so in addition to ending an era, EC2/GAE/similar are beginning a new one in which the debate about the definition of acceptable use becomes multilateral rather than just a series of bilateral or unilateral agreements and actions. that is the other "silver lining" in all this. if distributed computing is a necessary utility then it may become a public utility and so EC2/GAE could spawn an "internet public utilities commission" at the state or federal level. and while i wouldn't like to see FCC-style "morality policing" of content, i think that if big companies are going to create public nuisances for what are perfectly valid business reasons, they should either pre-regulate or expect to be post-regulated. paul