Slashdot Mirror
SIP Attacks From Amazon EC2 Going Unaddressed
mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."
I've been reporting an IM spammer for several weeks now an IM spammer hosting sites with a place called Flying Croc. I've even complained to their upstream provider, but to no avail from either. Both of these have AUPs specifically prohibiting spamming from or spam being used to advertise sites on their network, but it seems the AUPs are only really intended to let the host disconnect someone they don't like, not actually to prevent their customers from launching an attack or spamming campaign. Or at least, the webcam sites being spammed for still trace right back to the same networks as they did.
Maybe there needs to be some mandatory service level from companies above a certain size (a response from a human within X days, etc.). Service seems to be getting worse and worse across the board. And maybe a requirement that if said company says something, it damn well better back it up when called upon to.
To fight the war on terror, stop being afraid.
Since this involved illegal computer access from an information provider (don't think Amazon's been classified as a telecom provider. yet.), why not involve the consumer fraud devision of the Washington State Attorney General. If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.
There's an awful lot of spam and other abuse coming out of EC2. I'm not surprised to hear that it's being used as a source of SIP attacks as well. Amazon is quite irresponsible about handling abuse. As long as it isn't harming their systems, they wait until someone reports abuse, and then they terminate only the EC2 instance from which the attack originated. They make zero effort to thwart future attacks or prevent more abuse.
Amazon is gaining a reputation as a house of ill repute, and they deserve it.
Tired of FB/Google censorship? Visit UNCENSORED!
They have zero interest in actually shutting them down.
Maybe if you flood-ping the offending IP from your attacked PBX their automated IDS will blackhole your IP.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I don't think so. One way to stop the attacks is to use pf/iptables to forward the offending REGISTERs to a bot that simply sends back a bogus "200 OK" response. As soon as the attacker thinks he's found an opening, the attack stops.
> If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.
Interesting option. I would go one step further: since the attack has been committed from a virtual machine, it seems reasonable to confiscate for further analysis the virtual machine in question. Now this may not be as inconvenient for Amazon, but it also makes it more likely for them to cooperate.
The point being that the police or anybody could learn very little from the cloud hardware, I assume, because everything they need is in the software. So why not have a technically sound interface for investigating virtual machines? I think in the long term that will be inevitable for Amazon, if they want to avoid hardware being seized.