SIP Attacks From Amazon EC2 Going Unaddressed

mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."

Not much new here for operators ...

[rkohutek]

This is nothing new. Hosted/PBXs have been getting blown up by dedicated/VPS/cloud/whatever for ages now, all attempting to call farawayistan or $asian_country. Drop at the edge, drop at the edge.

RK

Morpheus attacks from EC2 also

[GaryOlson]

I reported a Morpheus scanner running on an EC2 instance last week. I have not received any response from Amazon either. Of course I am not an EC2 customer, so I don't expect any consideration. But, if no response is forthcoming, I expect I won't be shopping at Amazon in the future for more pedestrian needs.

Re:Morpheus attacks from EC2 also

[vilain]

Since this involved illegal computer access from an information provider (don't think Amazon's been classified as a telecom provider. yet.), why not involve the consumer fraud devision of the Washington State Attorney General. If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.

Re:Morpheus attacks from EC2 also

[LostCluster]

Bezos is a smart businessman, and as such most of his properties are separate corporations that are friends of Amazon, but maintain the ability to go bankrupt if they go wrong without bankrupting Amazon.com. Such a warrant might get the attention of EC2... but there's no way it'd stretch all the way to Amazon.com unless there was some proof of a shared resource being involved.

Re:Morpheus attacks from EC2 also

[Kaboom13]

Because everyone knows the state attorney general is always eager to royally piss off the huge, multinational corporation with an army of lawyers who is headquartered in his state and contributes a massive amount of tax revenue and jobs to the local economy. Especially when the accusation comes from some people off the internet who aren't even in his jurisdiction and he is completely unqualified to even understand the nature of the attacks beyond "bad people doing bad things according to this guy....on the internet". If its not child porn or drugs, or can make a big flashy headline, they aren't interested. And the actual data centers where the actual evidence might be are probably spread all over the world.

Re:Morpheus attacks from EC2 also

[thsths]

> If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.

Interesting option. I would go one step further: since the attack has been committed from a virtual machine, it seems reasonable to confiscate for further analysis the virtual machine in question. Now this may not be as inconvenient for Amazon, but it also makes it more likely for them to cooperate.

The point being that the police or anybody could learn very little from the cloud hardware, I assume, because everything they need is in the software. So why not have a technically sound interface for investigating virtual machines? I think in the long term that will be inevitable for Amazon, if they want to avoid hardware being seized.

Re:What is an SIP attack?

[LearnToSpell]

RTFA.

Re:What is an SIP attack?

[imjustmatthew]

Actually, TFA didn't say exactly, but it sounds like these SIP attacks are brute-force attempts to authenticate and initiate a session. Presumably they want to spam-call numbers on PBX without paying long distance.

Re:What do you expect?

[Z34107]

The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses. Evidently Amazon's solution is "mediation" - you're supposed to talk to the hackers and work something out! They have zero interest in actually shutting them down.

Doesn't surprise me.

[laughingcoyote]

I've been reporting an IM spammer for several weeks now an IM spammer hosting sites with a place called Flying Croc. I've even complained to their upstream provider, but to no avail from either. Both of these have AUPs specifically prohibiting spamming from or spam being used to advertise sites on their network, but it seems the AUPs are only really intended to let the host disconnect someone they don't like, not actually to prevent their customers from launching an attack or spamming campaign. Or at least, the webcam sites being spammed for still trace right back to the same networks as they did.

Maybe there needs to be some mandatory service level from companies above a certain size (a response from a human within X days, etc.). Service seems to be getting worse and worse across the board. And maybe a requirement that if said company says something, it damn well better back it up when called upon to.

Re:Doesn't surprise me.

[JWSmythe]

    I can understand (to a degree) when a problem isn't directly addressed back. Sure, you detected it, and it's perfectly possible 10,000 other people reported the same thing.

    Knowing a little about the business, and not having enough information from you, it may be possible that the destinations that you referenced had absolutely nothing to do with it. If the destination is an affiliate sales company (i.e., affiliates make a percentage of the sale that they sent), you may have simply bounced through a page that passed on their affiliate code and never noticed it.

    http://hotchick.spammer/ redirects to http://some.cam.site?id=9999 which then redirects to http://some.cam.site/ . Some affiliate companies take that seriously, and will forbid any sales revenue from going to that affiliate. Then again, plenty see it as "not their problem" and enjoy the extra profits where they weren't directly involved in the illegal activities.

    I've seen it where site X gets spammed for, which has links to Site Y, which then has the affiliate code for site Z. Go ahead and complain to Z, it won't do you a lot of good. It will do even less if site Z is responsible for over a million per year in revenue for their provider. If it's some schmuck with a $20/yr account, it'd probably be gone in minutes.

    If I was at some large hosting company, it'd be perfectly possible to get tens (or hundreds) of thousands of complaints like yours daily. Is it worth tracking those to resolution and getting back directly to every complainer, or simply adding your complaint to the list? Ok, I would, but most won't.

    I've been on the receiving end of complaints in the past. Most of the time, the complaints were misdirected anyways. "I got a spam". Sure you did. When it's reviewed, it's simply an email stating that their membership was expiring and if they wanted to continue service they should renew. Of hundreds of thousands of those sent, they'd generate maybe a few dozen complaints like that. Sometimes they were a hosted site where a newbie webmaster had put some mailto.cgi up, and folks were spamming through it. The upstream provider would send an email saying "We've received a bunch of these", and following them through we'd find the problem, and imply reply "It's been corrected". Corrected for us meant the cgi was disabled (like chmod 000) with an email to the webmaster about how not to be a dumbass.

    Looking at the "upstream provider" web site, it looks like they're just reselling someone elses services. I could be mistaken, but I've never heard of them, and couldn't find much interesting online.

   

Re:Doesn't surprise me.

[laughingcoyote]

Well, what's actually happening is spambots over MSN. If you tell it anything long enough (it can be "fuck you" or whatever you like), it'll tell you to "see me on cam" at a site. I set up a script to get the bots to give the link (since they all use the same one, that was relatively simple), and then tracerouted the site they were advertising.

Ultimately, the site being advertised is the one responsible, in my opinion, and their host should hold them responsible. They're either directly encouraging people to spam, or at the very least running "affiliate" programs in such a manner that people are encouraged to do so and do not face consequences.

I don't think that I made a mistake as to where the hosting was, since I used the exact link the bot gives, but anything's possible. They never denied it's theirs, though.

Thanks for the insight into the situation, though-I've never myself been on the other end of that. When you get 10-30 IM spams a day, though, it sure gets frustrating pretty damn quickly, especially since I can't just ignore IM-if it is something important, I've got to respond to it.

Re:Lazy?

[emt377]

You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?

Perhaps because the UDP source addresses are spoofed, and the goal of the attack is to trick AWS into shutting down legitimate paying customers' businesses?

*Yawn* Nothing of Interest Here

[phantomcircuit]

Basically someone used EC2 to launch dictionary attacks against SIP providers. This could have been done from data center or even by a botnet. He's just mad that amazon ignored him.

This is nothing more than someone rying to improve security through wack-a-mole.

Amazon is way too lax about abuse.

[IGnatius+T+Foobar]

There's an awful lot of spam and other abuse coming out of EC2. I'm not surprised to hear that it's being used as a source of SIP attacks as well. Amazon is quite irresponsible about handling abuse. As long as it isn't harming their systems, they wait until someone reports abuse, and then they terminate only the EC2 instance from which the attack originated. They make zero effort to thwart future attacks or prevent more abuse.

Amazon is gaining a reputation as a house of ill repute, and they deserve it.

Re:What is an SIP attack?

[Bigjeff5]

SIP = Session Initiation Protocol, it's the protocol that sets up and tears down the session on a VOIP call. After the initial setup, VoIP uses RTP, or Real-time Transmission Protocol to transfer the call data packets, while SIP manages the connection itself (adding callers, changing addresses, adding video, etc).

SIP is application layer protocol that sits on top of a transport protocol like TCP or UDP, which sits on top of the IP network layer. If not encrypted (it often isn't), it is vulnerable to everything TCP is, including DOS attacks, man in the middle attacks, packet sniffing, and various hardware related attacks like buffer overflows and such. Even encrypted it is still vulnerable to the hardware related attacks and DOS attacks.

What you can do with these attacks is the same as what you'd do with TCP attacks: eavesdropping, call re-routing, disconnecting calls, SIP agent impersonation to place new calls, etc.

benefit of the doubt, for now...

[dAzED1]

Had I been hearing of lots of this sort of thing, I'd be less interested in giving them the benefit of the doubt. Since I haven't, I'd like to point out that often the type of behavior that Amazon is displaying right now is due to them working with law enforcement to catch the person...versus just shutting down the instances.

Re:What is an SIP attack?

[Bigjeff5]

An IP-PBX system is a PBX system on an IP network. ;)

A PBX is a call center through which all phone calls for a specific area are routed - like a building or a telco's service area. It stands for Private Branch Exchange.

Re:What is an SIP attack?

When did slashdot stop being news for the nerds?

Re:What do you expect?

[bill_mcgonigle]

They have zero interest in actually shutting them down.

Maybe if you flood-ping the offending IP from your attacked PBX their automated IDS will blackhole your IP.

Re:Lazy?

[kobaz]

Well, the story has the assumption that the attacks are coming from EC2. If they are indeed coming from EC2, then amazon could find the source.

But if the source is outside of amazon, with spoofed source addresses of ec2 instances that have nothing to do with the attacks... then well... that's another issue.

Re:Lazy?

[e9th]

I don't think so. One way to stop the attacks is to use pf/iptables to forward the offending REGISTERs to a bot that simply sends back a bogus "200 OK" response. As soon as the attacker thinks he's found an opening, the attack stops.

Re:Lazy?

[mysidia]

Ah... so it might not be a "violation"? Their average customer has a legitimate reason for their EC2 VM to be sending a SIP packets to 2000 new IPs every minute, and 100000 distinct IP addresses every hour?

Re:Lazy?

[mysidia]

This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.

The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.

If the ISP does nothing, the IPs will eventually get blacklisted, and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it continues, blacklist the entire /24, then if it continues, blacklist that entire RIR registered IP block.

As last step... blacklist the entire AS number.

Amazon EC2 is in the same situation here. If they don't respond to serious abuse complaints like this, transit providers are going to start blackholing EC2 IPs at their border.

Eventually, this could make EC2 useless....

Re:What is an SIP attack?

[LostCluster]

So, by definition, a SIP attack is a use of a the protocol in an unauthorized way (trying to simulate an incoming call that doesn't exist, or trying to authenticate as an account that doesn't belong to you...) and even though there's no known theft of service yet, it still interferes with the legit users.

Re:De-Peer

[EdIII]

Everybody running an IP-PBX could also just block the entire EC2 IP ranges too. It would be freakin hilarious if Spamhaus, Spamcop, or DenyHosts added their IP ranges. That would get some activity over at Amazon pretty gosh darn quick.

However, in all seriousness, there is a better and easier solution for SIP security.

1) Just block absolutely everybody and have a whitelist on what SIP packets can make it in. Add your VOIP providers and just open up RTP. If you have phones connecting over the Internet, and not VPN, then make the whitelist dynamic. Most phones these days can be set to do HTTPS retrieval of configuration files, and the really kick ass ones do HTTPS GET on certain actions including startup and SIP registration. Whenever you get an authenticated request add that public IP to the whitelist and keep it for 24 hours.

2) Use SRTP & HTTPS to secure your traffic, exchange configuration files, and push/respond XML documents over the Internet.

3) For SIP peers/friends/users don't use the extension or MAC address for authentication. Completely unneccessary and weak on security. I have watched countless brute force attacks walk the extensions up from 1000. They can't begin to brute force the password, if they can't even find the right user name. Mine are 10 digit alphanumeric followed by the extension. Realllllly easy to handle with a dialplan too. A simple macro allows users to dial from extension to extension with the numbers they are used to, but hell on SIP hackers. Makes multi-company stuff a snap too.

4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence, but there really is no reason for SIP passwords to NOT be 20 characters or randomly generated alphanumeric. Just lazy.

1-4 result in a system considerably harder to hack. It sure as heck won't be some scripted bot that takes it over, but a very determined and resourceful hacker.

I realize this does not account for anonymous SIP calling over the Internet using ENUM, but uhh... that is retarded anyways. Well not retarded exactly, just extremely optimistic about the benevolent nature of all mankind. Like an extremely smart 4 year girl who also dreams of having a Unicorn thought about how wonderful it would be for a universal white pages where communication, location, and routing instructions were provided for everyone.

I'm sure that exists in Star Trek where somebody's ENUM instructed them to route a subspace call to the Enterprise to Holodeck 5, but here on Earth it would be used to route some telemarketer from the Philippines to my cell phone to sell me gas cards or some wonderful product for $4 shipping and a $600 debit on my debit card to follow in 10 days....

If we really want something like that then it needs to be secured so only authorized people can decrypt your ENUM and a secure communication request would have to be sent and acknowledged, before any attempts at SIP could start, aka, layered security.

SIP had security and NAT as an afterthought unfortunately.

Re:Lazy?

[amorsen]

At least one attack came from Amazon. I reported it, and Amazon has confirmed that it was their customer. The packets weren't spoofed, no attempt was made to hide their origin.

Reporting is useless

[GPLHost-Thomas]

As a web host, like every other company of this type, we had our bunch of hackers getting-in (credit card and paypal account fraudsters/scammer mostly). As we record each IP used to register and systematically check what has been written in the registration form, many times, we have seen hackers registering with a proxy on another host. Each time we see this behavior, we get in touch with our peer, to let them know that we believe they've been hacked, and which IP (together with a timestamp) to investigate.

Very few times, we received such report. Very few times, we received an answer from these host we warned. I believe that we also sent such email at least once to Amazon and didn't get an answer.

I've come to the conclusion that, unfortunately, it is useless to do reporting (even though we will still continue to do so as this is a mater of ethic as well). It has been YEARS like this, and governments don't seem to care anyway.