RE: amazonaws.com?

From nanog-bounces@nanog.org Tue May 27 12:06:50 2008
Subject: RE: amazonaws.com?
Date: Tue, 27 May 2008 18:08:16 +0100
From: <michael.dillon@bt.com>
To: <nanog@merit.edu>

> If the address-space owner won't police it's own property,
> there is no reason for the rest of the world to spend the
> time/effort to _selectively_ police it for them.

Exactly!!!
If an SMTP server operator is not willing to police their server
by implementing a list of approved email partners, then why should
the rest of the Internet have to block outgoing port 25 connections?

Because the _privilege_ to send packets to other networks has been, from
'day one', conditional on the presumption that the sending network _is_
a "good neighbor" to the networks receiving their traffic.

AS SUCH, they have a firm 'moral responsibility' to *NOT* let _their_
users =originate= traffic that is harmful/offensive/abusive to the
receiving/destination network.

Or, are you arguing for _no_ "acceptable use" policies for _anything_ on
the 'net. That anyone should be free to attempt anything against any
server/network, and that it is the sole responsibility of the receiving
system to build and maintain the defenses against "whatever" any
malefactor might decide to do? *AND* that the party providing that black
hat' with connectivity should bear no responsibility for anything that
their customer's do? Thinking about it, I realize that asking _you_ (an
employee of major telephone company) is a silly question -- you have a
biased viewopoint from a government-regulated monopoly

The buck needs to stop right where the problem is and that is
on the SMTP servers that are promiscuously allowing almost any
IP address to open an socket with them and inject email messages.

Since one _cannot_ stop the -attempts- at the destination end, and the
volume of -attempts- (even though they're blocked at the fence-line)
*CAN* be enough to to render 'normal' operations of the receiving network
impossible -- "it should be obvious to the meanest intelligence" that
the matter *must* be addressed at a point _upstream_ from the destination
network.

It is universally recognized in the real world that 'toxic waste' issues
must be dealt with at the _source_ point -- where that toxic waste is
produced. AND that the costs of doing so should fall on those who produce
them.

There is no reason that the Internet should be any different. The polluter
is the party who *should* get hits with the majority of the costs of handling
the toxic waste they produce, not the party simply tryng to enjoy the 'quiet
satisfaction' of their own property.

It is arguable that the Internet has advanced from the 'early pioneer' days
of the '80s, to a state that is comparable to the height of the "Robber Baron"
era -- where everybody was out for 'me first, and to h*ll with whomever isn't
big enough, mean enough, and tough enough to stand up to whatever I want to
do to take advantage of them. History shows that such attitudes weren't right
_for_the_world_as_a_whole_ then, and societal barriers were put in place to
prevent such abuses from re-occuring.

> Amazon _might_ 'get a clue' if enough providers walled off
> the EC2 space, and they found difficulty selling cycles to
> people who couldn't access the machines to set up their
> compute applications.

Amazon might get a clue and sue companies who take such outrageously
extreme action.

*SNICKER* The results of such a suit are _utterly_ predictable. There's
established case-law going back a couple of _decades_. For, example, look at
any of the (100% _unsuccessful) suits that "Cyber Promotions, Inc." filed
against any of the several providers that did exactly that to said plaintiff.

There's similar case law in England, the Netherlands, Germany, Switzerland,
Norway, Finland, and Austrailia -- just to name a few of the places where
the matter has been litigated.

There are no "rights" on the Internet, only "privileges". Your right to
access any part of my network exists only -if- I extend you that privilege.
And it _is_ revokable at whim. WITHOUT any need to 'show cause why'. Such
a suit as you suggest runs the very real risk that the filing party would be
sanctioned as regards "frivolous" filings.

                Even if you are being slammed by millions of email
messaged from Amazon address space, that is not justification for
blocking all access to the space. It's a point problem on your
mail server so leave the shotgun alone, and put an ACL blocking
port 25 access to your mail server.

FALSE TO FACT.

If they generate _enough_ 'unwanted' traffic towards me, that can/will
constitute a fairly effective (D)DOS attack -- admittedly, it's only
'slightly' distributed, and it's coming from a single block, so it can
be dealt with by some forms of point responses.

I _cannot_ deal with volume-based DOS at -my- end of my pipes; it -requires-
blocking/limiting the traffic *before* it hits the choke-point that is my
external connectivity. When that traffic is coming from a 'well defined'
source under a single entity's control, *THAT* -- the source -- is the
appropriate place to deal with it. In the alternate case -- a widely
distributed set of disparate sources -- other methods (usually involving
the immediate "upstreams" -- who presumably have enough bigger resources to
be able to 'absorb' a volume of toxic waste that would be fatal to me) are
necessary. The fact that such methods are necessary in some circumstances
does -not- mean that they are the _preferred_ method in all circumstances.

I don't believe that horrendously broken email architecture and email
operators with no vision, are sufficient justification for blocking new and
innovative business models on the Internet. 10 months of the year, Amazon
has 10 times as many servers as they need. They want to rent them out
piecemeal and I applaud their innovation. Maybe their model is not perfect
yet, but the solution to that is not to raise a lynch mob. Instead you
should build a better cloud computin> business and beat them that way.

I applaud their _intentions_, and deplore their *implementation*.

They, like many others, have forgotten that "the Internet" is, in fact, a
fairly -unique- institution/facility -- where the 'value' of what _you_
offer is contingent on the 'courtesies' you get for free from the rest of
the world. Every internet service provider and service offerer *needs*
the 'good will' of its competitors _more_ than it needs any of its own
customers.

Something like the initial part of the Hippocratic Oath is needed for those
who consider Internet-based service offerings -- "First, do no evil."

People who fail to control the toxic waste emissions from their property
are _not_ "good neighbors", and fail that 'do no evil' test.

The same for those who allow toxic waste emissions to flow from their networks
over the Internet.

You need to wake up Dorothy, this isn't Kansas anymore. Free access to the internet won long ago, it's all about defending your self.

Thinking about it, I realize that
asking _you_ (an
employee of major telephone company) is a silly question -- you have a
biased viewopoint from a government-regulated monopoly

Reductio ad absurdum. Needs no other reply.

"it should be obvious to the meanest intelligence" that
the matter *must* be addressed at a point _upstream_ from the
destination network.

Of course. But a more advanced intelligence will wonder why we
have to have an SMTP server architecture that invites attacks.
Why, by definition, do SMTP servers have to accept connections
from all comers, by default? We have shown that other architectures
are workable on the Internet, where communications only take place
between peers who have prearranged which devices talk to which. This
worked for USENET news and it works for exchanging BGP route
announcements. Such peering architectures allow you to introduce
hierarchy into the set of bilateral arrangements, and as everyone
should know, hierarchy is essential to scaling a network.

As long as we don't fix the architecture of Internet email, we
are stuck with the catch-22 situation that Amazon, and all hosting
providers find themsleves in. These companies really have no choice
but to allow spammers to exploit their services until the spamming
is detected, either proactively by the provider, or reactively by
a complaint to their abuse desk. And eyeball providers really have
no choice but to accept this state of affairs, because without the
hosted sites, there is not a lot of incentive for eyeballs to attach
to the net.

Sure, Amazon could try to react more quickly to abuse reports, but
if more ISPs would get behind a standard like ARF or IODEF
Mutual Internet Practices Association Cover Pages: Incident Object Description and Exchange Format (IODEF)
then this would be possible without huge spending on an abuse
desk that spends most of its time discarding junk mail.

The fact is that around 10 years ago, the Internet lost its
abuse reporting system and ISPs have not yet replaced it with
one that works.

It is universally recognized in the real world that 'toxic
waste' issues
must be dealt with at the _source_ point -- where that toxic waste is
produced. AND that the costs of doing so should fall on
those who produce them.

And that is what we do with our retail DSL and dial customers because
sending out tons of mail to port 25 is not normal in such an
environment.
But in a hosting environment, it is perfectly normal to send out tons
of mail so it is not possible to be as proactive as you can be with
consumer customers.
  

There is no reason that the Internet should be any different.
The polluter
is the party who *should* get hits with the majority of the
costs of handling
the toxic waste they produce, not the party simply tryng to
enjoy the 'quiet
satisfaction' of their own property.

Actually, there *IS* a reason why the Internet should be "different".
In the real world, if you try to enjoy the quiet satisfaction of
your property without locking the doors, and someone walks in and
takes your valuables, both the law, and the insurance company
will consider you to be negligible. You do have an obligation to
take reasonable measures to secure your property, i.e. don't leave
the keys in the ignition. The Internet is no different.

History shows that such
attitudes weren't right
_for_the_world_as_a_whole_ then, and societal barriers were
put in place to
prevent such abuses from re-occuring.

Prevent? I don't think so. Enron did happen not so long ago and
it was not an isolated incident.

Your right to
access any part of my network exists only -if- I extend you
that privilege.
And it _is_ revokable at whim. WITHOUT any need to 'show
cause why'.

Go ahead, no one will sue you for that. But if you solicit other
companies to join you in painting Amazon the same color as Cyber
Promotions, then I would expect them to sue you and win. In any case
this will never happen because few ISPs have a customer base that would
allow them to cut off Amazon, and all the other cloud computing
suppliers.

I _cannot_ deal with volume-based DOS at -my- end of my
pipes; it -requires-
blocking/limiting the traffic *before* it hits the
choke-point that is my
external connectivity.

This is one of the flaws in the existing email architecture because
it invites anyone and everyone to hit your email server with as many
messages as they desire. This invitation is what drives spammers to
do what they do.

I applaud their _intentions_, and deplore their *implementation*.

In what way does their implementation differ substantially from any
other hosting provider?

--Michael Dillon

But a more advanced intelligence will wonder why we have to have an SMTP
server architecture that invites attacks. Why, by definition, do SMTP
servers have to accept connections from all comers, by default? We have
shown that other architectures are workable on the Internet, where
communications only take place between peers who have prearranged which
devices talk to which. This worked for USENET news and it works for
exchanging BGP route announcements.

Of course there's no unwanted traffic on USENET or BGP. Everyone de-peers
Tiscali when their customers' compromised home computers perform DDOS
attacks.

As long as we don't fix the architecture of Internet email, we
are stuck with the catch-22 situation that Amazon, and all hosting
providers find themsleves in. These companies really have no choice
but to allow spammers to exploit their services until the spamming
is detected, either proactively by the provider, or reactively by
a complaint to their abuse desk.

Nothing prevents Amazon from implementing a hierarchial email delivery
network for their little corner of the net. They just have to block
outgoing port 25 and require their users to use Amazon's smarthosts.

I don't see how, in your preferred replacement email architecture, a
provider would be able to avoid policing their users to prevent spam
in the way that you complain is so burdensome.

Tony.

I don't see how, in your preferred replacement email
architecture, a provider would be able to avoid policing
their users to prevent spam in the way that you complain is
so burdensome.

To begin with, mail could only enter such a system through
port 587 or through a rogue operator signing an email peering
agreement. In either case, there is a bilateral contract involved
so that it is clear whose customer is doing wrong, and therefore
who is responsible for policing it. It's a different model in
which email traffic follows a chain of bilateral agreements
from the sender to the recipient. At each link in the chain,
a provider can block traffic if it does not conform to the
peering agreement (or service agreement for end users).

Today, an anonymous spammer can obfuscate the source of their email
in a way that an average user can't figure out who to complain to.
In a hierarchical email peering system, only a rogue operator could
do that, and by nature of the system, they can't really be totally
anonymous. After all they have to sign a peering agreement with someone.

--Michael Dillon

This is different from Amazon's situation how?

Tony.

Has Amazon given an official statement on this? It would be nice to get
someone from within Amazon to give us their official view on this. It
would be even more appropriate for the other cloud infrastructures to
join in, and or have some sort of RFC to do with SMTP access within the
"cloud." I forsee this as a major problem as the idea of "the cloud" is
being pushed more and more. You are talking about a spammers dream. Low
cost , powerful resources with no restrictions and complete anonymity.

Personally I'm going to block *.amazonaws.com from my mail server until
Amazon gives us a statement on how they are planning on fighting spam
from the cloud.

Tony Finch wrote:

"The cloud" is just a marketing term for a bunch of virtual servers,
at least in Amazons case. It's nothing particularly new, just a VPS
farm with the same constraints and abuse issues as a VPS or
managed server provider.

The only reason this is a problem in the case of Amazon is that they're
knowingly selling service to spammers, their abuse guy is in
way over his head and isn't interested in policing their users
unless they're doing something illegal or the check doesn't clear.
As long as the spam being sent doesn't violate CAN-SPAM, it's legal.

Cheers,
   Steve

Well the thing that differentiates "the cloud" is that there is an
infinite amount of resources, the ability to have anonymous access, and
the infinite amount of identities. Basically Amazon has allocated a /18,
/19, and /17 to EC2. The chances of getting the same IP between two
instances amongst that many possibilities is low. Basically someone
could easily go get a temporary credit card and start up 10 small EC2
instances. This would give them 10 public IPs which would probably take
3-4 hours (minimum) to show up on any sort of blacklists. Then its just
a matter of rebooting and you have another 3-4 hours. This could last
weeks with a credit card. Then you could rinse and repeat. In the past
I've seen companies require EIN/SSN verification (a bit much) in order
to open up certain things (port 25, BGP, etc...). If Amazon is going to
continue to have policies that allow spammers to thrive it will end with
EC2 failing.

SMTP has inherent trust issues. I'm currently researching Amazon AWS's
static IP addresses. I think it would be easiest to block everything and
just make exemptions for people who purchase the static IPs.

My advice to you if you are buying anonymous resources would be to
purchase an agreement with a relay that isn't part of the anonymous
computing center.

Steve Atkins wrote:

That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place...

(I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...)

- S

I would think that simply requiring some appropriate amount of irrevocable
funds (wire transfer, etc) for a deposit that will be forfeited in the case
of usage in violation of AUP/contract/etc would be both sufficient and not
excessive for allowing port 25 access, etc.

Many, many years ago, when I was working someplace that was just starting to
dabble in shared hosting, the company would require a faxed copy of a
driver's license to enable some hosting features (shell off the top of my
head). In today's world, this simply will not do (customer sentiment,
liability for loss of that data you're storing, and so on).

I think the straightforward fix is for Amazon to put some practical mail
guidelines together for their environment (time-based volume limitations,
Amazon-provided smarthosts, etc) with an exception process for those who
need larger amounts of legitimate outbound mail. I guess legitimate is
subjective though. *sigh*

-brandon

That sounds great. Presumably in addition to the above the sun is always shining, cats never crap in the kitchen and those responsible for the American Idol franchise have been lined up against the wall and shot?

Joe

What...

are people still using SSNs as authenticators instead of identifiers,
20 years on?

Cheers,
-- jra

I think the straightforward fix is for Amazon to put some
practical mail guidelines together for their environment

Has anyone making these suggestions ever thought to look at the Amazon
Web Services agreement that governs these EC2 customers?

<http://www.amazon.com/AWS-License-home-page-Money/b/ref=sc_fe_c_0_20159
0011_13?ie=UTF8&node=3440661&no=201590011&me=A36L942TSJ2AJA>

--Michael Dillon

These are highly dense service farms that are making efficient use of
power, CPU, memory and network based on huge densities based on power
and square footage. It's far more than a marketing term.

Careful. Don't under estimate this trend.

-M<

Until you find out that the source of those supposedly irrevocable funds
  was stolen or fraudulent, and you have some sort of court subpoena to give
  it back.

  I don't believe there is a way for you to outwit the scammer/spammer by
  making them pay more of their or someone elses money. If you have what
  they need, they'll find a way to trick you into giving it to them.

Beckman

Are you still trying to prove that Amazon, Dell, The World, etc can't
possibly work?

By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over
the internet which'd mean taking credit cards...

I'm still curious what a typical $ sale is on one of these cloud
compute clusters, in orders of magnitude, $1, $10, $100, $1000, ...?

P.S. For the record I'm not a great fan of blocking port 25 as someone
mis-cited me here, I don't really care strongly either way, it's a
tool.

I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise
make some attempt to know who you're doing business with.

>
> > I would think that simply requiring some appropriate amount of irrevocable
> > funds (wire transfer, etc) for a deposit that will be forfeited in the case
> > of usage in violation of AUP/contract/etc would be both sufficient and not
> > excessive for allowing port 25 access, etc.
>
> Until you find out that the source of those supposedly irrevocable funds
> was stolen or fraudulent, and you have some sort of court subpoena to give
> it back.
>
> I don't believe there is a way for you to outwit the scammer/spammer by
> making them pay more of their or someone elses money. If you have what
> they need, they'll find a way to trick you into giving it to them.

Are you still trying to prove that Amazon, Dell, The World, etc can't
possibly work?

  Amazon and Dell ship physical goods. Amazon Web Services sells services,
  as do I. Services are commonly enabled and activated immediately after
  payment or verification of a valid credit card, as is often expected by
  the customer immediately after payment. Shipment of physical goods will
  almost always take at least 24 hours, often longer, enabling more thorough
  checks of credit, however they might do it.

  And even with the extra time to review the transaction and attempt to
  detect fraud, I'm confident Amazon and Dell lose millions per year due to
  fraud. The reality is that the millions they lose to fraud doesn't affect
  us because a Blu-Ray player purchased with a stolen credit card doesn't
  send spam or initiate DOS attacks.

  At least not yet; those Blu-Ray players do have an ethernet port.

By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over
the internet which'd mean taking credit cards...

  Now you're just being rediculous. Or sarcastic.

I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise
make some attempt to know who you're doing business with.

  Charging whom? The spammer who pays your extra AUP abuse charges with
  stolen paypal accounts, credit cards, and legit bank accounts funded by
  money stolen from paypal accounts and transferred from stolen credit
  cards?

  If you are taking card-not-present credit card transactions over the
  Internet or phone, and not shipping physical goods but providing services,
  in my experience the merchant gets screwed, no matter how much money you
  might have charged for the privilege of using port 25 or violating AUPs.
  That money you collected and believed was yours and was in your bank
  account can be taken out just as easily 6 months later, after the lazy
  card holder finally reviews his credit card bill, sees unrecognized
  charges and says "This is fraudulent!" And there you are, without your
  money.

  Getting someone to fax their ID in takes extra time and resources, and
  means it might be hours before you get your account "approved," and for
  some service providers, part of the value of the service is the immediacy
  in which a customer can gain new service.

Beckman

Not sure what a typical sale looks like, but

Single virtual instance: ~ $72/month

from AWS:

Storage
$0.15 per GB-Month of storage used

Data Transfer
$0.100 per GB - all data transfer in

$0.170 per GB - first 10 TB / month data transfer out
$0.130 per GB - next 40 TB / month data transfer out
$0.110 per GB - next 100 TB / month data transfer out
$0.100 per GB - data transfer out / month over 150 TB

Requests
$0.01 per 1,000 PUT, POST, or LIST requests
$0.01 per 10,000 GET and all other requests*
* No charge for delete requests

Joe