SIP Attacks From Amazon EC2 Going Unaddressed

mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."

Re:What do you expect?

[Z34107]

The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses. Evidently Amazon's solution is "mediation" - you're supposed to talk to the hackers and work something out! They have zero interest in actually shutting them down.

Re:What is an SIP attack?

[Bigjeff5]

SIP = Session Initiation Protocol, it's the protocol that sets up and tears down the session on a VOIP call. After the initial setup, VoIP uses RTP, or Real-time Transmission Protocol to transfer the call data packets, while SIP manages the connection itself (adding callers, changing addresses, adding video, etc).

SIP is application layer protocol that sits on top of a transport protocol like TCP or UDP, which sits on top of the IP network layer. If not encrypted (it often isn't), it is vulnerable to everything TCP is, including DOS attacks, man in the middle attacks, packet sniffing, and various hardware related attacks like buffer overflows and such. Even encrypted it is still vulnerable to the hardware related attacks and DOS attacks.

What you can do with these attacks is the same as what you'd do with TCP attacks: eavesdropping, call re-routing, disconnecting calls, SIP agent impersonation to place new calls, etc.

Re:What is an SIP attack?

[Bigjeff5]

An IP-PBX system is a PBX system on an IP network. ;)

A PBX is a call center through which all phone calls for a specific area are routed - like a building or a telco's service area. It stands for Private Branch Exchange.

Re:Doesn't surprise me.

[JWSmythe]

    I can understand (to a degree) when a problem isn't directly addressed back. Sure, you detected it, and it's perfectly possible 10,000 other people reported the same thing.

    Knowing a little about the business, and not having enough information from you, it may be possible that the destinations that you referenced had absolutely nothing to do with it. If the destination is an affiliate sales company (i.e., affiliates make a percentage of the sale that they sent), you may have simply bounced through a page that passed on their affiliate code and never noticed it.

    http://hotchick.spammer/ redirects to http://some.cam.site?id=9999 which then redirects to http://some.cam.site/ . Some affiliate companies take that seriously, and will forbid any sales revenue from going to that affiliate. Then again, plenty see it as "not their problem" and enjoy the extra profits where they weren't directly involved in the illegal activities.

    I've seen it where site X gets spammed for, which has links to Site Y, which then has the affiliate code for site Z. Go ahead and complain to Z, it won't do you a lot of good. It will do even less if site Z is responsible for over a million per year in revenue for their provider. If it's some schmuck with a $20/yr account, it'd probably be gone in minutes.

    If I was at some large hosting company, it'd be perfectly possible to get tens (or hundreds) of thousands of complaints like yours daily. Is it worth tracking those to resolution and getting back directly to every complainer, or simply adding your complaint to the list? Ok, I would, but most won't.

    I've been on the receiving end of complaints in the past. Most of the time, the complaints were misdirected anyways. "I got a spam". Sure you did. When it's reviewed, it's simply an email stating that their membership was expiring and if they wanted to continue service they should renew. Of hundreds of thousands of those sent, they'd generate maybe a few dozen complaints like that. Sometimes they were a hosted site where a newbie webmaster had put some mailto.cgi up, and folks were spamming through it. The upstream provider would send an email saying "We've received a bunch of these", and following them through we'd find the problem, and imply reply "It's been corrected". Corrected for us meant the cgi was disabled (like chmod 000) with an email to the webmaster about how not to be a dumbass.

    Looking at the "upstream provider" web site, it looks like they're just reselling someone elses services. I could be mistaken, but I've never heard of them, and couldn't find much interesting online.

   

Re:Lazy?

[amorsen]

At least one attack came from Amazon. I reported it, and Amazon has confirmed that it was their customer. The packets weren't spoofed, no attempt was made to hide their origin.