Slashdot Mirror
SIP Attacks From Amazon EC2 Going Unaddressed
mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."
This is nothing new. Hosted/PBXs have been getting blown up by dedicated/VPS/cloud/whatever for ages now, all attempting to call farawayistan or $asian_country. Drop at the edge, drop at the edge.
RK
You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?
The goal of computer science is to build something that will last at least until we've finished building it.
I did not RTFA.
I reported a Morpheus scanner running on an EC2 instance last week. I have not received any response from Amazon either. Of course I am not an EC2 customer, so I don't expect any consideration. But, if no response is forthcoming, I expect I won't be shopping at Amazon in the future for more pedestrian needs.
Every mans' island needs an ocean; choose your ocean carefully.
Sorry but Amazon EC2 == Cloud == Perfect.
Cloud providers focus on scale and volume to make money; quality support doesn't scale well with volume. Why are they quiet? I wouldn't be surprised if they aren't even aware of any issues.
Website Hosting
I've been reporting an IM spammer for several weeks now an IM spammer hosting sites with a place called Flying Croc. I've even complained to their upstream provider, but to no avail from either. Both of these have AUPs specifically prohibiting spamming from or spam being used to advertise sites on their network, but it seems the AUPs are only really intended to let the host disconnect someone they don't like, not actually to prevent their customers from launching an attack or spamming campaign. Or at least, the webcam sites being spammed for still trace right back to the same networks as they did.
Maybe there needs to be some mandatory service level from companies above a certain size (a response from a human within X days, etc.). Service seems to be getting worse and worse across the board. And maybe a requirement that if said company says something, it damn well better back it up when called upon to.
To fight the war on terror, stop being afraid.
made up solely of compromised PBXs, right ? ;-p
Basically someone used EC2 to launch dictionary attacks against SIP providers. This could have been done from data center or even by a botnet. He's just mad that amazon ignored him.
This is nothing more than someone rying to improve security through wack-a-mole.
There's an awful lot of spam and other abuse coming out of EC2. I'm not surprised to hear that it's being used as a source of SIP attacks as well. Amazon is quite irresponsible about handling abuse. As long as it isn't harming their systems, they wait until someone reports abuse, and then they terminate only the EC2 instance from which the attack originated. They make zero effort to thwart future attacks or prevent more abuse.
Amazon is gaining a reputation as a house of ill repute, and they deserve it.
Tired of FB/Google censorship? Visit UNCENSORED!
Amazon appears to have gone silent
Can you hear me now?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I'm sure they'd take notice if Tier 1 ISP's threatened to De-Peer them.
Maybe it's Amazon's new long distance service, talk all you want, it's someone else's dime!
Had I been hearing of lots of this sort of thing, I'd be less interested in giving them the benefit of the doubt. Since I haven't, I'd like to point out that often the type of behavior that Amazon is displaying right now is due to them working with law enforcement to catch the person...versus just shutting down the instances.
Just block all IPs belonging to “cloud” servers. I mean, you know what kind of types use those services... the types that love management buzzwords. PHB types. And other people you wouldn’t exactly call “competent”... if you know what I mean.
You want to avoid any contact with such types anyway. So you can only benefit from blocking such enterprisey consultant hatcheries.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Nanu Nanu...
Why is Amazon allowing outgoing SIP connections? That's just asking for trouble. Amazon probably shouldn't allow instances to open outgoing connections to external IP addresses (outside Amazon's "cloud") at all unless the customer signs up for that service. Most don't need it, and the ones that do need to be monitored more closely.
The people doing the attacking from Amazon, are paying customers, and revenue always comes first. (i.e. Don't expect a lot of help)
That's why you use IAX2 every time it's possible, even better if it's listening on a non-standard port. If you receive only big-ass traffic (carrier2carrier) you are already expecting traffic from certain IPs, and so you drop anything else at the firewall. If you also receive small traffic (softphones, etc) you use a different server for that, with different policies. All accounts require a mandatory huge password (md5 of a random number will do) and they all have a very clean and small per-month and per-day traffic limit. You monitor all of your accounts and match that days traffic against their average, and take a closer look to anything that goes above the mark. You restrict simultaneous calls to two unless specifically asked to do otherwise on a specific account. You run port sentry and you actively block anything suspicious. You ban access to all sip accounts from Brasil, Russia and China, and you only unblock that for specific accounts upon customer request.
I receive a shitload of weird attempts on all my servers, mostly to ssh, apache and asterisk. Most of them are bots and those attacks are not targeted. Every once in a while I get something targeted, and rarely it's something sophisticated.
The internet is a wild place. It's your duty as a sysadmin to stay on top. Doing your job well is easier than asking other people to be nice.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
As a web host, like every other company of this type, we had our bunch of hackers getting-in (credit card and paypal account fraudsters/scammer mostly). As we record each IP used to register and systematically check what has been written in the registration form, many times, we have seen hackers registering with a proxy on another host. Each time we see this behavior, we get in touch with our peer, to let them know that we believe they've been hacked, and which IP (together with a timestamp) to investigate.
Very few times, we received such report. Very few times, we received an answer from these host we warned. I believe that we also sent such email at least once to Amazon and didn't get an answer.
I've come to the conclusion that, unfortunately, it is useless to do reporting (even though we will still continue to do so as this is a mater of ethic as well). It has been YEARS like this, and governments don't seem to care anyway.
And what makes you think Amazon is already NOT doing anything. I think its AMAZING that everyone thinks they have the right to know everything about everyone today! Well news flash you don't. I wonder exactly who on this post is an Amazon stock holder. Hummmm probably no one so again shut your pie hole. I really don't care about Amazon or any other site people buy from online. I still chose the brick and mortar store so I am not out to directly defend Amazon but people are losing their minds today about what THEY think they have the right to know, as if the CEO needs to address every living being in the U.S.
I hope you are being sarcastic here right? I mean EC2 isn't only for simple web site hosting. There are tons of services that need outside access. SIP might be less common but it's still a possible that someone would use it for legal things like alerting a sysadmin that his EC2 is spamming the world. I could see a ACL service being provided by Amazon as a good idea but in the end, a lot of people will just open everything to make debugging simple.
I do get a ton of EC2 scanning and ssh attacks on a VPS instance I have with another provider. I still don't think we should automatically kill all of EC2 for this. I would consider dropping all packets from EC2 but I'm not sure if this will block S3 also which I'm planning to use.
I think that the biggest problem here is that Asterisk doesn’t have any protection for suck kind off attack.
We have been used Asterisk before and it was crashing or not responding even when flooded with 5 mbits (registration attempts)
Now we are using mizutech voip server (http://www.mizu-voip.com/) and that is still alive up to 1 gbits flooding (yes, we have received registration attempts with 1 gbits in the last month from various sources, and the legitimate traffic was still alive ...with some packet retransmissions when our network was fully utilized). I don't know about other sip servers, but Asterisk is very bad in such things out of the box although some fine-tuning is possible if you enable some modules.
Our bank has been getting the pants scanned off of it since last year on just about any protocol you can think of. All we get back from Amazon is an automated reply. Snort IDS signatures were created by Emerging Threats a few months ago and we're dropping all of IP blocks via our IPS. It's not just EC2 USA, it's coming from their Europe addresses also.
Their automated reply actually said it as an advantage of their service that they let the customers run their own servers, not Amazon. Yeah, so they can take in the money despite the damage they're permitting.
Do everyone a favor and file a report with the local office of the FBI in the USA for your company.
I agree and I am disgusted by Amazon's lack of cogent response. I just wrote to them about losing my business. Since I use AWS and have been purchasing from Amazon since they started, this is no joke, but it will take more than one customer doing this to make them wake up. Please keep posting on the web if you are convinced that they should be proactive in resolving the attacks quickly. This is NOT comparable to spammers abuse. In one case, 200 register requests per second were being received. Yes, you can drop packets but your connection itself is still being hit at that level. Best case, your upstream might drop the packets. This would actually be a business plan for someone: guaranteed packet filtering before your own connection. In that case, you only need to enter an IP or range, and you'd never see that IP again. Unfortunately, it isn't that simple with some of these attacks, I I guess EC2 makes them easier to perform, which is a part of my complaint. Keep hammering until this is resolved! It's legitimate to complain about their lack of reaction.
Surprise, a company released a hosted service (in this case 'cloud computing') where they did not have well thought through security support. AWS is a hot bed of bad activity. So are many of the other cloud providers (to lesser degrees related to popularity of the service). It's going to get worse before it gets better so make sure your own infra is ready to deal with the attacks through blocking on the edge, host firewalls, IDS, whatever you deem is helpful for your setup ... and don't be afraid to block outright and request the addition of the IP's to a public block list.
.... but that would be bad :-).
But that is just my $0.02.
Of course, someone *could* use an AWS account to send calls to her phone over and over
As I see it Amazon should be compelled to act. Failure for them to do so is in effect harboring a fugitive. While there are ways to reduce the impact of the attack at your firewall that does not overcome the fact that it consumes all of the targets available bandwidth. You can protect your systems, but you remain cutoff from the rest of the world. It's a classic DOS attack just moving to the voip application space. That this is not getting much attention is a travesty. Amazon needs to be a more responsible corporate citizen, or face the consequences. It's up to use to determine what those consequences might be. I for one have simply committed to boycot Amazon as I explained here: http://www.mgraves.org/voip/2010/04/amazon-you-got-some-splaining-to-do/
.
After I complained I received an acknowledgement that the activity was coming from their network and they had stopped it.
.
BUT not a fucking thing had changed. - the port scanning just kept right on happening.
.
I sent them an email "If you fuck with me I will take legal action against you". The traffic soon stopped but then I got emails from a guy who used the same moniker as Amazon Cloud Computing, saying "from your friend in the cloud"..... and he jerked himself off to my surprise and delight - for all concerned, by making threats to expose me as a cunt - well I know I am a cunt so what was his point? And life goes on.
.
Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.
Could they just not allow any of the cloud computing to even send out these specific attacks, or raise a flag to the admins what is going on, or are they helpless as their contracts bind them to allow whatever is going on to continue because they rented out those cycles and now can not touch them by law, because they are bound by contract?
Amazon has posted a security bulleting on their website addressing this issue: https://aws.amazon.com/security/ Frank