Slashdot Mirror

← Back to Stories (view on slashdot.org)

SIP Attacks From Amazon EC2 Going Unaddressed

Posted by kdawson on from the how-hard-can-it-be dept.

mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."

6 of 104 comments (clear)

  1. Re:Lazy? by emt377 · · Score: 5, Insightful

    You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?

    Perhaps because the UDP source addresses are spoofed, and the goal of the attack is to trick AWS into shutting down legitimate paying customers' businesses?

  2. Re:Morpheus attacks from EC2 also by vilain · · Score: 4, Interesting

    Since this involved illegal computer access from an information provider (don't think Amazon's been classified as a telecom provider. yet.), why not involve the consumer fraud devision of the Washington State Attorney General. If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.

  3. Re:What is an SIP attack? by Bigjeff5 · · Score: 5, Informative

    SIP = Session Initiation Protocol, it's the protocol that sets up and tears down the session on a VOIP call. After the initial setup, VoIP uses RTP, or Real-time Transmission Protocol to transfer the call data packets, while SIP manages the connection itself (adding callers, changing addresses, adding video, etc).

    SIP is application layer protocol that sits on top of a transport protocol like TCP or UDP, which sits on top of the IP network layer. If not encrypted (it often isn't), it is vulnerable to everything TCP is, including DOS attacks, man in the middle attacks, packet sniffing, and various hardware related attacks like buffer overflows and such. Even encrypted it is still vulnerable to the hardware related attacks and DOS attacks.

    What you can do with these attacks is the same as what you'd do with TCP attacks: eavesdropping, call re-routing, disconnecting calls, SIP agent impersonation to place new calls, etc.

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
  4. Re:What do you expect? by bill_mcgonigle · · Score: 4, Interesting

    They have zero interest in actually shutting them down.

    Maybe if you flood-ping the offending IP from your attacked PBX their automated IDS will blackhole your IP.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. Re:Morpheus attacks from EC2 also by LostCluster · · Score: 4, Insightful

    Bezos is a smart businessman, and as such most of his properties are separate corporations that are friends of Amazon, but maintain the ability to go bankrupt if they go wrong without bankrupting Amazon.com. Such a warrant might get the attention of EC2... but there's no way it'd stretch all the way to Amazon.com unless there was some proof of a shared resource being involved.

  6. Re:Lazy? by amorsen · · Score: 4, Informative

    At least one attack came from Amazon. I reported it, and Amazon has confirmed that it was their customer. The packets weren't spoofed, no attempt was made to hide their origin.

    --
    Finally! A year of moderation! Ready for 2019?