SIP Attacks From Amazon EC2 Going Unaddressed

mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."

Not much new here for operators ...

[rkohutek]

This is nothing new. Hosted/PBXs have been getting blown up by dedicated/VPS/cloud/whatever for ages now, all attempting to call farawayistan or $asian_country. Drop at the edge, drop at the edge.

RK

Lazy?

[kobaz]

You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?

Re:Lazy?

[emt377]

You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?

Perhaps because the UDP source addresses are spoofed, and the goal of the attack is to trick AWS into shutting down legitimate paying customers' businesses?

Re:Lazy?

[cts5678]

They probably never took the time to figure out how to do it.

Re:Lazy?

[Jaime2]

Maybe Amazon is trying to act as if they have no responsibility for the conduct of the users of their cloud. It's not unprecedented, if one user on a duscussion board is causing another grief, the board is not necessarily responsible for dealing with it. They also have to worry that if they take action quickly, then someone may falsely accuse a legitimate EC2 customer of hosting malware. They probably trust their paying customers first.

Re:Lazy?

[Sir_Lewk]

If the packets were spoofed, then what makes you think they even came from amazon's network?

Re:Lazy?

[kobaz]

Well, the story has the assumption that the attacks are coming from EC2. If they are indeed coming from EC2, then amazon could find the source.

But if the source is outside of amazon, with spoofed source addresses of ec2 instances that have nothing to do with the attacks... then well... that's another issue.

Re:Lazy?

[e9th]

I don't think so. One way to stop the attacks is to use pf/iptables to forward the offending REGISTERs to a bot that simply sends back a bogus "200 OK" response. As soon as the attacker thinks he's found an opening, the attack stops.

Re:Lazy?

[mysidia]

Ah... so it might not be a "violation"? Their average customer has a legitimate reason for their EC2 VM to be sending a SIP packets to 2000 new IPs every minute, and 100000 distinct IP addresses every hour?

Re:Lazy?

[mysidia]

It is trivial for Amazon to confirm the report by actually observing the traffic themselves before they act.

Re:Lazy?

[mysidia]

This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.

The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.

If the ISP does nothing, the IPs will eventually get blacklisted, and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it continues, blacklist the entire /24, then if it continues, blacklist that entire RIR registered IP block.

As last step... blacklist the entire AS number.

Amazon EC2 is in the same situation here. If they don't respond to serious abuse complaints like this, transit providers are going to start blackholing EC2 IPs at their border.

Eventually, this could make EC2 useless....

Re:Lazy?

[Cylix]

Since Ec2 requires a credit card I'm sure they have already been paid. However, I've wondered how long til someone uses a fraudulent card to do something vicious.

Unless the attackers were not that bright and used their actual credit cards.

Re:Lazy?

[nacturation]

However, I've wondered how long til someone uses a fraudulent card to do something vicious.

It probably took about three hours after Amazon's EC2 launch before someone used a stolen card to do something nasty.

Re:Lazy?

[amorsen]

At least one attack came from Amazon. I reported it, and Amazon has confirmed that it was their customer. The packets weren't spoofed, no attempt was made to hide their origin.

Re:Lazy?

[amorsen]

But how do you know you aren't breaking legitimate traffic?

Re:Lazy?

[amorsen]

The problem is that it's difficult to block EC2 because they are so popular. It was discussed where I work, and the conclusion was that it was infeasible.

Re:Lazy?

[GPLHost-Thomas]

I don't think a legitimate PBX will have the same kind of traffic as a SIP host scanner or PBX attacker. Legitimate SIP hosts tend to have a rather smooth bandwidth graph as conversations are on long periods of time. Don't you think it's easy to see and make the difference using nmap or just see the traffic graph? I do...

Re:Lazy?

[e9th]

You only redirect [evil-ip]/5060 UDP to the reply-bot after spotting the attack, either because people start bitching about VoIP quality or by using fail2ban or whatever to do it automatically after X registration failures from the same address. I've seen 11,000 in under 3 min., which makes the attacks easy to spot.

A different attack that really used address spoofing could cause the method I described to block legitimate traffic from a targeted site, but that would be a DoS, not a brute-force penetration attempt. The real problem is that if you have a limited bandwidth pipe, just dropping packets from [evil-ip] at the firewall doesn't help much, and by the time you've gotten your ISP (or AmazonWS) to do something about it, you're screwed.

I guess a really big-time user or VoIP provider, with multiple ISPs and a registrar server on a separate path, would be pretty much immune to these attacks, but that's above my pay grade.

Re:Lazy?

[mysidia]

A legitimate PBX should have fairly little SIP control traffic, even when calls are open.

Well, most of the traffic should be RTP audio frames over UDP, or other frames tunneled over TCP.

So if they look at a traffic graph and see SIP usage is extremely high, and RTP / other traffic is basically nonexistent, then it is really quite suspicious.

Unless this is a huge telco's SBC, then they could (in theory) have a dedicated server for control, with separate servers for dealing with audio/media.

Re:Lazy?

[GPLHost-Thomas]

Exactly. You got the point. It's not even running on the same ports, it's so easy that we could teach a kid how to track it down with nmap.

Re:Lazy?

[Gordonjcp]

So if they look at a traffic graph and see SIP usage is extremely high, and RTP / other traffic is basically nonexistent, then it is really quite suspicious.

Isn't the point of REINVITE to do just this? As I understand it, that tells the endpoints to alter the call parameters, including making their own arrangements for handling RTP traffic so the server doesn't have to touch it.

Re:Lazy?

[jopsen]

Amazon does bring down EC2 instances that violate their terms of service... But they do try contact the administrator first... I once had an instance for testing, that is it was doing nothing, then suddenly it was port scanning... :)
And Amazon asked if they could shout it down... I think they gave me a 24 hour warning...

Re:Lazy?

[guruevi]

Because Amazon is getting paid for their services. Amazon isn't making a loss when criminal syndicates use their services nor are they providing it for free to those organizations. They're probably still pumping cash into the whole EC2 thing since "cloud computing" isn't really as popular and world-changing in most businesses as was projected 5 years ago so they could probably use the $.50/GB at whatever rate these people are pumping out.

Re:Lazy?

[mysidia]

It is possible to use REINVITE in that way. In most cases it is avoided.

It still wouldn't explain abnormally high outgoing SIP traffic, with the much smaller inbound amounts.

A legitimate SIP proxy that uses REINVITES to move the audio streams elsewhere should still have at least as much inbound control traffic as outbound traffic.

Legitimate phone calls don't come from the Ether, and as far as I know you can't currently buy PRI service or a POTS connection from Amazon for your EC2 instances.

Morpheus attacks from EC2 also

[GaryOlson]

I reported a Morpheus scanner running on an EC2 instance last week. I have not received any response from Amazon either. Of course I am not an EC2 customer, so I don't expect any consideration. But, if no response is forthcoming, I expect I won't be shopping at Amazon in the future for more pedestrian needs.

Re:Morpheus attacks from EC2 also

[vilain]

Since this involved illegal computer access from an information provider (don't think Amazon's been classified as a telecom provider. yet.), why not involve the consumer fraud devision of the Washington State Attorney General. If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.

Re:Morpheus attacks from EC2 also

[LostCluster]

Bezos is a smart businessman, and as such most of his properties are separate corporations that are friends of Amazon, but maintain the ability to go bankrupt if they go wrong without bankrupting Amazon.com. Such a warrant might get the attention of EC2... but there's no way it'd stretch all the way to Amazon.com unless there was some proof of a shared resource being involved.

Re:Morpheus attacks from EC2 also

[Kaboom13]

Because everyone knows the state attorney general is always eager to royally piss off the huge, multinational corporation with an army of lawyers who is headquartered in his state and contributes a massive amount of tax revenue and jobs to the local economy. Especially when the accusation comes from some people off the internet who aren't even in his jurisdiction and he is completely unqualified to even understand the nature of the attacks beyond "bad people doing bad things according to this guy....on the internet". If its not child porn or drugs, or can make a big flashy headline, they aren't interested. And the actual data centers where the actual evidence might be are probably spread all over the world.

Re:Morpheus attacks from EC2 also

[thsths]

> If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.

Interesting option. I would go one step further: since the attack has been committed from a virtual machine, it seems reasonable to confiscate for further analysis the virtual machine in question. Now this may not be as inconvenient for Amazon, but it also makes it more likely for them to cooperate.

The point being that the police or anybody could learn very little from the cloud hardware, I assume, because everything they need is in the software. So why not have a technically sound interface for investigating virtual machines? I think in the long term that will be inevitable for Amazon, if they want to avoid hardware being seized.

Re:Morpheus attacks from EC2 also

[Rogerborg]

But as we're constantly being told, File Sharers == Hackers == Organized Crime == Drug Lords == Kiddie Pornographers == TEH TERRARISTS!!!!!1!!!

How about we use that line of... "reasoning"... for good for once?

Re:What is an SIP attack?

[LearnToSpell]

RTFA.

Re:What is an SIP attack?

[imjustmatthew]

Actually, TFA didn't say exactly, but it sounds like these SIP attacks are brute-force attempts to authenticate and initiate a session. Presumably they want to spam-call numbers on PBX without paying long distance.

What do you expect?

[teknopurge]

Cloud providers focus on scale and volume to make money; quality support doesn't scale well with volume. Why are they quiet? I wouldn't be surprised if they aren't even aware of any issues.

Re:What do you expect?

[Z34107]

The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses. Evidently Amazon's solution is "mediation" - you're supposed to talk to the hackers and work something out! They have zero interest in actually shutting them down.

Re:What do you expect?

[bill_mcgonigle]

They have zero interest in actually shutting them down.

Maybe if you flood-ping the offending IP from your attacked PBX their automated IDS will blackhole your IP.

Re:What do you expect?

[segedunum]

The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses.

I'm a bit suspicious of the correspondence in the article for a number of reasons:

1. This is nothing new. PBXs have been hit from places like China, and the first port of call is to blacklist the relevant IPs. If you don't like that then don't run the service. You can be hit by anyone from anywhere on the internet, and that's the first rule of running a service that is publicly exposed. Whinging about how evil Amazon and cloud computing is won't help you and you need to be in control of your own destiny.
2. The author gets into some correspondence with Amazon where they ask for formatted logs with the relevant dates, times and IPs. He 'says' he's 'attached' it but not that he's formatted it and it reads more like an afterthought. They state quite clearly that they will not open attachments.
3. He then proceeds to ask for an 'interview'. There is nothing to interview about, the PR manager says that and why ask unless you want to make some kind of other issue out of it and unless he wants to increase traffic to his site?
4. He says he's filled out a form that fails with an 'error' (and he doesn't say what it is), so how has he managed to get into correspondence with their 'PR manager' further down about it? There are missing pieces in the sequence of events.
5. We don't know whether the attacks really are coming from Amazon or whether they're spoofed, although there's been a comment further back that Amazon confirmed it. Where is this confirmation?
6. He gets this reply -

   Hello Fred. We believe that we've identified and shut down the illegal activity and are closing the loop with customers. We'd certainly be interested in hearing of the cases you refer to below so we can follow up.

   - but he doesn't say what happened after that other than he tried to 'reach out' to her and didn't get a response. Also, what are the cases he refers to below?

All in all I just read this as someone who has a bee in his bonnet about cloud computing or something and wants to have an opportunity to have a rant about it in order to increase site traffic as well. There are too many holes in this story.

Doesn't surprise me.

[laughingcoyote]

I've been reporting an IM spammer for several weeks now an IM spammer hosting sites with a place called Flying Croc. I've even complained to their upstream provider, but to no avail from either. Both of these have AUPs specifically prohibiting spamming from or spam being used to advertise sites on their network, but it seems the AUPs are only really intended to let the host disconnect someone they don't like, not actually to prevent their customers from launching an attack or spamming campaign. Or at least, the webcam sites being spammed for still trace right back to the same networks as they did.

Maybe there needs to be some mandatory service level from companies above a certain size (a response from a human within X days, etc.). Service seems to be getting worse and worse across the board. And maybe a requirement that if said company says something, it damn well better back it up when called upon to.

Re:Doesn't surprise me.

[JWSmythe]

    I can understand (to a degree) when a problem isn't directly addressed back. Sure, you detected it, and it's perfectly possible 10,000 other people reported the same thing.

    Knowing a little about the business, and not having enough information from you, it may be possible that the destinations that you referenced had absolutely nothing to do with it. If the destination is an affiliate sales company (i.e., affiliates make a percentage of the sale that they sent), you may have simply bounced through a page that passed on their affiliate code and never noticed it.

    http://hotchick.spammer/ redirects to http://some.cam.site?id=9999 which then redirects to http://some.cam.site/ . Some affiliate companies take that seriously, and will forbid any sales revenue from going to that affiliate. Then again, plenty see it as "not their problem" and enjoy the extra profits where they weren't directly involved in the illegal activities.

    I've seen it where site X gets spammed for, which has links to Site Y, which then has the affiliate code for site Z. Go ahead and complain to Z, it won't do you a lot of good. It will do even less if site Z is responsible for over a million per year in revenue for their provider. If it's some schmuck with a $20/yr account, it'd probably be gone in minutes.

    If I was at some large hosting company, it'd be perfectly possible to get tens (or hundreds) of thousands of complaints like yours daily. Is it worth tracking those to resolution and getting back directly to every complainer, or simply adding your complaint to the list? Ok, I would, but most won't.

    I've been on the receiving end of complaints in the past. Most of the time, the complaints were misdirected anyways. "I got a spam". Sure you did. When it's reviewed, it's simply an email stating that their membership was expiring and if they wanted to continue service they should renew. Of hundreds of thousands of those sent, they'd generate maybe a few dozen complaints like that. Sometimes they were a hosted site where a newbie webmaster had put some mailto.cgi up, and folks were spamming through it. The upstream provider would send an email saying "We've received a bunch of these", and following them through we'd find the problem, and imply reply "It's been corrected". Corrected for us meant the cgi was disabled (like chmod 000) with an email to the webmaster about how not to be a dumbass.

    Looking at the "upstream provider" web site, it looks like they're just reselling someone elses services. I could be mistaken, but I've never heard of them, and couldn't find much interesting online.

   

Re:Doesn't surprise me.

[laughingcoyote]

Well, what's actually happening is spambots over MSN. If you tell it anything long enough (it can be "fuck you" or whatever you like), it'll tell you to "see me on cam" at a site. I set up a script to get the bots to give the link (since they all use the same one, that was relatively simple), and then tracerouted the site they were advertising.

Ultimately, the site being advertised is the one responsible, in my opinion, and their host should hold them responsible. They're either directly encouraging people to spam, or at the very least running "affiliate" programs in such a manner that people are encouraged to do so and do not face consequences.

I don't think that I made a mistake as to where the hosting was, since I used the exact link the bot gives, but anything's possible. They never denied it's theirs, though.

Thanks for the insight into the situation, though-I've never myself been on the other end of that. When you get 10-30 IM spams a day, though, it sure gets frustrating pretty damn quickly, especially since I can't just ignore IM-if it is something important, I've got to respond to it.

Re:Doesn't surprise me.

[JWSmythe]

    You can email me and we can talk more about it in private, and see if we can hunt the source down a little better, or at least a better complaint route.

    I have absolutely nothing against screwing with spammers. The place I was at that I was referencing, we had a huge spam problem. It was fairly high profile, so was inundated with email spam constantly. We went as far as building our own dynamic blacklist, and even setting firewall rules against spammers. It helped that it seemed every spammer in the world hit dormant accounts, so those went straight through the system to be blocked immediately. It was all done very fairly, so no legitimate mail was delayed. That took a little doing, but I worked through our rules quick enough that the legitimate problems went away in just a few days. The providers appreciated us, because if they did get a problem report, we were quick to answer and if it was on our side we resolved it quickly.

    Being that I'm not working in a place with good Tier 1 connections any more, I can't pull any strings, but I can help.

    I agree with the IM spam. I don't use IM services unless specifically requested, and then I only stay on long enough to talk to the person who requested it. If I leave it up regardless of the network, I'll find dozens of spams within a day.

    My mom has been using Skype to talk to my sister. She's out of country, so it's been a good way to see each other. Every time I go over to fix a computer problem for her, I click through a dozen Skype spams.

*Yawn* Nothing of Interest Here

[phantomcircuit]

Basically someone used EC2 to launch dictionary attacks against SIP providers. This could have been done from data center or even by a botnet. He's just mad that amazon ignored him.

This is nothing more than someone rying to improve security through wack-a-mole.

Amazon is way too lax about abuse.

[IGnatius+T+Foobar]

There's an awful lot of spam and other abuse coming out of EC2. I'm not surprised to hear that it's being used as a source of SIP attacks as well. Amazon is quite irresponsible about handling abuse. As long as it isn't harming their systems, they wait until someone reports abuse, and then they terminate only the EC2 instance from which the attack originated. They make zero effort to thwart future attacks or prevent more abuse.

Amazon is gaining a reputation as a house of ill repute, and they deserve it.

Re:Amazon is way too lax about abuse.

[Bigjeff5]

RTFA

The sound of silence

[davidwr]

Amazon appears to have gone silent

Can you hear me now?

De-Peer

[Bruha]

I'm sure they'd take notice if Tier 1 ISP's threatened to De-Peer them.

Re:De-Peer

[JWSmythe]

Won't happen, if they're paying the bills, and the bills are large. You really have to piss off the other Tier 1 providers to get cut off. Cogent got pretty good at that at least a couple times. :) I'd be willing to bet Amazon is actually paying their bills on time. Amazon appears to be well peered, so it's not just one or two that'd have to drop them. The ones who didn't wouldn't mind the jump in revenue at all.

Re:De-Peer

[mysidia]

De-Peering isn't the only option.

Imagine if a bunch of Tier1 and Tier2 providers (who don't peer with them) adopted a policy of blocking all Amazon EC2 IP ranges at all border routers?

Re:De-Peer

[EdIII]

Everybody running an IP-PBX could also just block the entire EC2 IP ranges too. It would be freakin hilarious if Spamhaus, Spamcop, or DenyHosts added their IP ranges. That would get some activity over at Amazon pretty gosh darn quick.

However, in all seriousness, there is a better and easier solution for SIP security.

1) Just block absolutely everybody and have a whitelist on what SIP packets can make it in. Add your VOIP providers and just open up RTP. If you have phones connecting over the Internet, and not VPN, then make the whitelist dynamic. Most phones these days can be set to do HTTPS retrieval of configuration files, and the really kick ass ones do HTTPS GET on certain actions including startup and SIP registration. Whenever you get an authenticated request add that public IP to the whitelist and keep it for 24 hours.

2) Use SRTP & HTTPS to secure your traffic, exchange configuration files, and push/respond XML documents over the Internet.

3) For SIP peers/friends/users don't use the extension or MAC address for authentication. Completely unneccessary and weak on security. I have watched countless brute force attacks walk the extensions up from 1000. They can't begin to brute force the password, if they can't even find the right user name. Mine are 10 digit alphanumeric followed by the extension. Realllllly easy to handle with a dialplan too. A simple macro allows users to dial from extension to extension with the numbers they are used to, but hell on SIP hackers. Makes multi-company stuff a snap too.

4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence, but there really is no reason for SIP passwords to NOT be 20 characters or randomly generated alphanumeric. Just lazy.

1-4 result in a system considerably harder to hack. It sure as heck won't be some scripted bot that takes it over, but a very determined and resourceful hacker.

I realize this does not account for anonymous SIP calling over the Internet using ENUM, but uhh... that is retarded anyways. Well not retarded exactly, just extremely optimistic about the benevolent nature of all mankind. Like an extremely smart 4 year girl who also dreams of having a Unicorn thought about how wonderful it would be for a universal white pages where communication, location, and routing instructions were provided for everyone.

I'm sure that exists in Star Trek where somebody's ENUM instructed them to route a subspace call to the Enterprise to Holodeck 5, but here on Earth it would be used to route some telemarketer from the Philippines to my cell phone to sell me gas cards or some wonderful product for $4 shipping and a $600 debit on my debit card to follow in 10 days....

If we really want something like that then it needs to be secured so only authorized people can decrypt your ENUM and a secure communication request would have to be sent and acknowledged, before any attempts at SIP could start, aka, layered security.

SIP had security and NAT as an afterthought unfortunately.

Re:De-Peer

[mysidia]

4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence

Here's what happens: the PBX starts as something local only, with access from only intranet and only company IP addresses allowed. Probably rfc1918 private LAN IPs, maybe some external IP addresses of phones at other branches.

PBX admin initially designs a closed system, and everything works great, and is secure enough. Extension numbers are used for authentication, and secrets are 12345. Or some variation of the extension. This is secure enough for a trusted intranet, and very convenient, makes setup and maintenance a lot easier: no need for techs in the field to call the PBX admin and ask for the password, everyone knows the standard password used by all extensions.

Do not underestimate the inconvenience and cost regarding time and hassle involved for everyone in using a more complicated username/password assignment scheme. Security does not have an infinite value, there are always tradeoffs between the probability that a security measure prevents an attack, and the actual costs of the security measure (password management is expensive, and setting strong distinct passwords, and strong authnames for every phone is an expensive proposition).

6 - 12 months after the PBX gets deployed, some PHB in sales or upper management decides it would be really cool for them to be able to plug a phone when they are on the road, at whatever Hotel they are visiting, and at home.

They determine that connecting to the VPN is too much an inconvenience, so they order the Firewall admin to allow external IPs on the internet to be able to connect to the PBX.

So they can connect on the road. The PBX admin never hears about any of this.

It was configured in such a way that it would be a really bad idea to open it to the outside world, but other people want to do their own thing based on what they believe, understand, or think the technology is capable of (probably from talking to folks in other companies who plug their phones in wherever they want on any external network).

Re:De-Peer

[EdIII]

I agree with pretty much everything you are saying, except......

password management is expensive, and setting strong distinct passwords, and strong authnames for every phone is an expensive proposition).

That is no longer true. Maybe in the past, and you would have a point about balancing everything out, but it is no longer the case now.

My system swaps out the extension, context, authname, and secret automatically every couple of days via a cron job. Since my IP-PBX is database driven I don't need to deal with the complicated mess of rewriting PBX configuration files and reloading them either.

That *might* seem expensive to you. However, it all works because of the phones getting their configuration files regularly with more advanced options for doing so and this is what has changed.

A couple of minutes spent provisioning a phone properly can save you quite a bit. Using encrypted configuration files combine with HTTPS downloads of them (not tFTP) makes it pretty easy to set strong passwords, swap them out regularly, and not need any techs in the field needing to know any passwords at all.

Worst case scenario is reprovisioning a phone AND the techs still don't need to know the passwords. The phone gets sent back to the PBX admin and a spare was ready to go. Hotdesking and DUNDI is an awesome way to handle the extensions as well. That's how I can swap out a phone so darn easily. The employee and his/her extension was never 'hardcoded' into the phone in the first place.

An ounce of prevention is worth a pound of cure.....

Of course there are some really nice IP phones out there now that are chock full of advanced capabilities that make all of this possible now. Pushing XML documents to the phone that can change its configuration, XML applications performing HTTP GETS receiving XML documents that alter the phones configurations, etc., all with the ability to be secured via HTTPS, TLS, etc.

Now if you have Polycoms old or new.... yeah your fucked anyways and you got a lot more to worry about than SIP security. I always envisioned Pinhead from Hell Raiser heading the design on those phones. Your lucky if the phone will keep its configuration and download a new one each night in the first place. I once watched one of those bastards restart itself for TWO HOURS before finally stopping and ending up configured.

Long story short.... the technology has got way better in the last couple of years.

Re:De-Peer

[goatherder23]

just as they'd also take notice if threatened with a nuclear strike. Each case is equally likely to occur.

Maybe it's Amazon's new long distance service

[kawabago]

Maybe it's Amazon's new long distance service, talk all you want, it's someone else's dime!

Re:What is an SIP attack?

[Bigjeff5]

SIP = Session Initiation Protocol, it's the protocol that sets up and tears down the session on a VOIP call. After the initial setup, VoIP uses RTP, or Real-time Transmission Protocol to transfer the call data packets, while SIP manages the connection itself (adding callers, changing addresses, adding video, etc).

SIP is application layer protocol that sits on top of a transport protocol like TCP or UDP, which sits on top of the IP network layer. If not encrypted (it often isn't), it is vulnerable to everything TCP is, including DOS attacks, man in the middle attacks, packet sniffing, and various hardware related attacks like buffer overflows and such. Even encrypted it is still vulnerable to the hardware related attacks and DOS attacks.

What you can do with these attacks is the same as what you'd do with TCP attacks: eavesdropping, call re-routing, disconnecting calls, SIP agent impersonation to place new calls, etc.

benefit of the doubt, for now...

[dAzED1]

Had I been hearing of lots of this sort of thing, I'd be less interested in giving them the benefit of the doubt. Since I haven't, I'd like to point out that often the type of behavior that Amazon is displaying right now is due to them working with law enforcement to catch the person...versus just shutting down the instances.

Re:benefit of the doubt, for now...

[HiThere]

You can guess that sort of thing, and it *MIGHT* be true.

The problem is, that sounds an awful lot like the excuses that kept being given for the actions of various judges in the SCOx cases over the last seven years. And those were almost all eventually displayed to be wrong. So I have a hard time accepting that kind of excuse now.

It's true, the police are not the courts. But actually the courts have a better reputation for justice than do the police. And over the last seven years I've become convinced that the courts have a minimal interest in justice. Further, the police aren't under any obligation to protect you (which came as a bit of a shock to me). They usually do, because it's usually department policy. They *are* under an official obligation to enforce the laws, but in practice they can choose which laws they consider it important to be enforcing right now. And they can decide that right now it's that litterbug over there that's important, not the lynch mob. Policy means they don't usually make that decision. Usually they call for reinforcements. But there's no legal obligation.

Remember, the primary function of the police is to defend the government. After that policy determines to a great extent what they do. There are more laws than can possibly be properly enforced, so policy chooses which ones to enforce. (Currently, in the city I live in, the government is in sufficient financial distress that the primary job of the police is to enforce laws that bring in money. E.g., speeding tickets. And maintaining social order, of course...at least to the point that businesses don't flee the city, and customers are willing to shop here.) (P.S.: I don't mean that's all they do. But that's where they put their priorities.)

(N.B.: I'm exaggerating slightly to state my case clearly. But it's just an exaggeration, the directional trend is clearly evident. And it's clear where things will go if the financial condition continues to deteriorate.)

Re:benefit of the doubt, for now...

[dAzED1]

Not at all similar - SCO wasn't doing something for which they were criminally liable, they were doing something for which they were civilly liable. There aren't sting operations put in place by law enforcement to try to catch SCO and their FUD; law enforcement knows exactly where the SCO offices are.

Also note that I prefaced it by saying I am only willing to offer them that benefit due to the fact that I haven't heard complaints about this sort of thing before. Note that Amazon has it in their best interests to not be associated with spam, as it would make businesses that use them for hosting lose gmail rankings - which is terribad for legit websites. Doing that for long will make Amazon lose their webhosting business very fast.

Re:What is an SIP attack?

[Bigjeff5]

An IP-PBX system is a PBX system on an IP network. ;)

A PBX is a call center through which all phone calls for a specific area are routed - like a building or a telco's service area. It stands for Private Branch Exchange.

Re:What is an SIP attack?

When did slashdot stop being news for the nerds?

Nanu

[BlackBloq]

Nanu Nanu...

Re:What is an SIP attack?

[Bigjeff5]

What's not nerdy or newsworthy about network attacks on an IP-PBX system?

Or are we to assume that because someone is a nerd they must know everything about everything? If that were the case, why would nerds need news?

Re:Simple and obvious solution:

[Pinhedd]

Even blackholing a whole IP block wont necessarily halt attacks. The inbound UDP packet still has to be read and have its source address resolved to one that's been blackholed, assuming that it's a legitimate address to begin with.

Re:Simple and obvious solution:

[mysidia]

There is a piece of equipment that can handle this: it's called a router. And it can do all that in hardware at wire speed.

Why is Amazon allowing outgoing SIP connections?

[Animats]

Why is Amazon allowing outgoing SIP connections? That's just asking for trouble. Amazon probably shouldn't allow instances to open outgoing connections to external IP addresses (outside Amazon's "cloud") at all unless the customer signs up for that service. Most don't need it, and the ones that do need to be monitored more closely.

Re:What is an SIP attack?

[LostCluster]

So, by definition, a SIP attack is a use of a the protocol in an unauthorized way (trying to simulate an incoming call that doesn't exist, or trying to authenticate as an account that doesn't belong to you...) and even though there's no known theft of service yet, it still interferes with the legit users.

Re:What is an SIP attack?

[fotoguzzi]

Or you could type a few words into a paragraph that told the basics of the story. If you did this on a systematic basis, you would have to think of a word for a paragraph that summarized a longer story; maybe, a summarization?

Re:Simple and obvious solution:

[giesen]

I think you're overly optimistic about the performance of most routers...

VoIP is a nasty market ...

[GNUALMAFUERTE]

That's why you use IAX2 every time it's possible, even better if it's listening on a non-standard port. If you receive only big-ass traffic (carrier2carrier) you are already expecting traffic from certain IPs, and so you drop anything else at the firewall. If you also receive small traffic (softphones, etc) you use a different server for that, with different policies. All accounts require a mandatory huge password (md5 of a random number will do) and they all have a very clean and small per-month and per-day traffic limit. You monitor all of your accounts and match that days traffic against their average, and take a closer look to anything that goes above the mark. You restrict simultaneous calls to two unless specifically asked to do otherwise on a specific account. You run port sentry and you actively block anything suspicious. You ban access to all sip accounts from Brasil, Russia and China, and you only unblock that for specific accounts upon customer request.

I receive a shitload of weird attempts on all my servers, mostly to ssh, apache and asterisk. Most of them are bots and those attacks are not targeted. Every once in a while I get something targeted, and rarely it's something sophisticated.

The internet is a wild place. It's your duty as a sysadmin to stay on top. Doing your job well is easier than asking other people to be nice.

Reporting is useless

[GPLHost-Thomas]

As a web host, like every other company of this type, we had our bunch of hackers getting-in (credit card and paypal account fraudsters/scammer mostly). As we record each IP used to register and systematically check what has been written in the registration form, many times, we have seen hackers registering with a proxy on another host. Each time we see this behavior, we get in touch with our peer, to let them know that we believe they've been hacked, and which IP (together with a timestamp) to investigate.

Very few times, we received such report. Very few times, we received an answer from these host we warned. I believe that we also sent such email at least once to Amazon and didn't get an answer.

I've come to the conclusion that, unfortunately, it is useless to do reporting (even though we will still continue to do so as this is a mater of ethic as well). It has been YEARS like this, and governments don't seem to care anyway.

Re:Reporting is useless

[nicolas.kassis]

Be careful what you wish for. Governments would be worse.

Re:Reporting is useless

[GPLHost-Thomas]

Governments only care about so-called terrorists and pedophile to block your Internet for bad reasons, or restrict you from downloading. They don't care about the real issues that merchant are facing, and that the visa system has been totally broken for YEARS with nobody doing anything about this situation. So yes, I do wish them to stop silly laws like DMCA and the like, and start doing real police work to catch the fraudsters, and I can't see how it could be worse than today.

Re:Reporting is useless

[cbreak]

The Visa system is Visa's responsibility. I heard claims that it will fix itself due to the Power of the Free Market. Unfortunately, silly laws like the DMCA are here to stay. They have been created after all with the Power of the Free Market (the best laws you can buy for money).

Re:Why is Amazon allowing outgoing SIP connections

[nicolas.kassis]

I hope you are being sarcastic here right? I mean EC2 isn't only for simple web site hosting. There are tons of services that need outside access. SIP might be less common but it's still a possible that someone would use it for legal things like alerting a sysadmin that his EC2 is spamming the world. I could see a ACL service being provided by Amazon as a good idea but in the end, a lot of people will just open everything to make debugging simple.

I do get a ton of EC2 scanning and ssh attacks on a VPS instance I have with another provider. I still don't think we should automatically kill all of EC2 for this. I would consider dropping all packets from EC2 but I'm not sure if this will block S3 also which I'm planning to use.

Re:Here is the problem

[nicolas.kassis]

I don't believe this is Amazon real intent here. If these IPs end up dirtied and on black lists around the world, this could cause them more trouble. But why should they automatically disconnect these instances without first investigating.

Re:And what makes you think.....

[nicolas.kassis]

I don't think this should be down modded so quickly. He has a point, in what way is Amazon forced to tell this guy if they killed this spammers account or not.

Amazon EC2 Flood Attacks Continue

[randulo]

I agree and I am disgusted by Amazon's lack of cogent response. I just wrote to them about losing my business. Since I use AWS and have been purchasing from Amazon since they started, this is no joke, but it will take more than one customer doing this to make them wake up. Please keep posting on the web if you are convinced that they should be proactive in resolving the attacks quickly. This is NOT comparable to spammers abuse. In one case, 200 register requests per second were being received. Yes, you can drop packets but your connection itself is still being hit at that level. Best case, your upstream might drop the packets. This would actually be a business plan for someone: guaranteed packet filtering before your own connection. In that case, you only need to enter an IP or range, and you'd never see that IP again. Unfortunately, it isn't that simple with some of these attacks, I I guess EC2 makes them easier to perform, which is a part of my complaint. Keep hammering until this is resolved! It's legitimate to complain about their lack of reaction.

Not Rocket Surgery

[Ashcrow]

Surprise, a company released a hosted service (in this case 'cloud computing') where they did not have well thought through security support. AWS is a hot bed of bad activity. So are many of the other cloud providers (to lesser degrees related to popularity of the service). It's going to get worse before it gets better so make sure your own infra is ready to deal with the attacks through blocking on the edge, host firewalls, IDS, whatever you deem is helpful for your setup ... and don't be afraid to block outright and request the addition of the IP's to a public block list.

But that is just my $0.02.

Of course, someone *could* use an AWS account to send calls to her phone over and over .... but that would be bad :-).

Amazon should be compelled to remedy the attack

[mjgraves]

As I see it Amazon should be compelled to act. Failure for them to do so is in effect harboring a fugitive. While there are ways to reduce the impact of the attack at your firewall that does not overcome the fact that it consumes all of the targets available bandwidth. You can protect your systems, but you remain cutoff from the rest of the world. It's a classic DOS attack just moving to the voip application space. That this is not getting much attention is a travesty. Amazon needs to be a more responsible corporate citizen, or face the consequences. It's up to use to determine what those consequences might be. I for one have simply committed to boycot Amazon as I explained here: http://www.mgraves.org/voip/2010/04/amazon-you-got-some-splaining-to-do/

Re:Amazon should be compelled to remedy the attack

[randulo]

FWIW, my email to Amazon (about losing my business) resulted in the boilerplate reply with a link to the complaint form.

Re:Simple and obvious solution:

[Pinhedd]

Yes I know what a router is, but routers also have limits as to what they are able to process in a given amount of time. Even if a router can switch a million packets a second a half decent botnet could still bring that to a crawl

Re:Simple and obvious solution:

[mysidia]

We're talking about SIP brute forcing here, not DoS. Most botnets are not large enough to emit a 1 million pps flood, especially not accidentally, while trying to brute force SIP registration.

Most of the ones that are large enough, are unlikely to be used to create such a large flood against you. They got so large by avoiding detection, and sending too large of floods from a node results in detection.

Large botnets get rented out to perform activities profitable to people who rent services from their owner. Usually spam sending.

Unless you allow IRC on your network, or one of your customers is with the anti-botnet/anti-spam camp and the botnet operator sees you as a threat, or you are a national company suitable for extortion, you are extremely unlikely to be singled out to receive a 1 million pps flood.

You are far more likely to be sending such a flood, due to compromise of hosts on your network.

Re:Simple and obvious solution:

[Hurricane78]

Aaahh.. so the PHB types have got mod points. I see...

Them being PHBs, they obviously can’t stand reality, and rather kill the messenger (me).

Yay. Great job. Well done PHBs and in-a-castle-on-clouds-livers. Pat yourself on the back. Another problem “solved”.

Let’s see who’s the one laughing at who, in the end. ^^

Could they just not...

[hesaigo999ca]

Could they just not allow any of the cloud computing to even send out these specific attacks, or raise a flag to the admins what is going on, or are they helpless as their contracts bind them to allow whatever is going on to continue because they rented out those cycles and now can not touch them by law, because they are bound by contract?

Amazon responds

[frnkblk]

Amazon has posted a security bulleting on their website addressing this issue: https://aws.amazon.com/security/ Frank

Re:Amazon responds

[mjgraves]

This a very lame response to have taken 10 days for consideration. I think that if it happens again I would report it to Amazon at the very some time that I reported it to the FBI Cyber-crimes unit.