Forgot your password?
typodupeerror
Communications Security

SIP Attacks From Amazon EC2 Going Unaddressed 104

Posted by kdawson
from the how-hard-can-it-be dept.
mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."
This discussion has been archived. No new comments can be posted.

SIP Attacks From Amazon EC2 Going Unaddressed

Comments Filter:
  • by rkohutek (122839) <randal@@@weberstreet...net> on Saturday April 17, 2010 @09:52PM (#31884772) Homepage Journal

    This is nothing new. Hosted/PBXs have been getting blown up by dedicated/VPS/cloud/whatever for ages now, all attempting to call farawayistan or $asian_country. Drop at the edge, drop at the edge.

    RK

  • by kobaz (107760)

    You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?

    • Re:Lazy? (Score:5, Insightful)

      by emt377 (610337) on Saturday April 17, 2010 @10:19PM (#31884882)

      You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?

      Perhaps because the UDP source addresses are spoofed, and the goal of the attack is to trick AWS into shutting down legitimate paying customers' businesses?

      • by kobaz (107760)

        If the addresses are indeed spoofed, amazon could monitor their own network for packets leaving with the spoofed IP address.

        • by Sir_Lewk (967686)

          If the packets were spoofed, then what makes you think they even came from amazon's network?

          • Re: (Score:3, Informative)

            by kobaz (107760)

            Well, the story has the assumption that the attacks are coming from EC2. If they are indeed coming from EC2, then amazon could find the source.

            But if the source is outside of amazon, with spoofed source addresses of ec2 instances that have nothing to do with the attacks... then well... that's another issue.

      • Re: (Score:3, Interesting)

        by e9th (652576)
        I don't think so. One way to stop the attacks is to use pf/iptables to forward the offending REGISTERs to a bot that simply sends back a bogus "200 OK" response. As soon as the attacker thinks he's found an opening, the attack stops.
        • by amorsen (7485)

          But how do you know you aren't breaking legitimate traffic?

          • by e9th (652576)
            You only redirect [evil-ip]/5060 UDP to the reply-bot after spotting the attack, either because people start bitching about VoIP quality or by using fail2ban or whatever to do it automatically after X registration failures from the same address. I've seen 11,000 in under 3 min., which makes the attacks easy to spot.

            A different attack that really used address spoofing could cause the method I described to block legitimate traffic from a targeted site, but that would be a DoS, not a brute-force penetration
      • by mysidia (191772)

        It is trivial for Amazon to confirm the report by actually observing the traffic themselves before they act.

    • by cts5678 (1383735)
      They probably never took the time to figure out how to do it.
    • by Jaime2 (824950)
      Maybe Amazon is trying to act as if they have no responsibility for the conduct of the users of their cloud. It's not unprecedented, if one user on a duscussion board is causing another grief, the board is not necessarily responsible for dealing with it. They also have to worry that if they take action quickly, then someone may falsely accuse a legitimate EC2 customer of hosting malware. They probably trust their paying customers first.
      • Re: (Score:3, Insightful)

        by mysidia (191772)

        This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.

        The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.

        If the ISP does nothing, the IPs will eventually get blacklisted, and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it

        • by amorsen (7485)

          The problem is that it's difficult to block EC2 because they are so popular. It was discussed where I work, and the conclusion was that it was infeasible.

      • by jopsen (885607)
        Amazon does bring down EC2 instances that violate their terms of service... But they do try contact the administrator first... I once had an instance for testing, that is it was doing nothing, then suddenly it was port scanning... :)
        And Amazon asked if they could shout it down... I think they gave me a 24 hour warning...
    • I agree and I am disgusted by Amazon's lack of cogent response. I just wrote to them about losing my business. Since I use AWS and have been purchasing from Amazon since they started, this is no joke, but it will take more than one customer doing this to make them wake up. Please keep posting on the web if you are convinced that they should be proactive in resolving the attacks quickly. This is NOT comparable to spammers abuse. In one case, 200 register requests per second were being received. Yes, you can
    • by guruevi (827432)

      Because Amazon is getting paid for their services. Amazon isn't making a loss when criminal syndicates use their services nor are they providing it for free to those organizations. They're probably still pumping cash into the whole EC2 thing since "cloud computing" isn't really as popular and world-changing in most businesses as was projected 5 years ago so they could probably use the $.50/GB at whatever rate these people are pumping out.

  • by GaryOlson (737642) <slashdotNO@SPAMgaryolson.org> on Saturday April 17, 2010 @09:54PM (#31884784) Journal
    I reported a Morpheus scanner running on an EC2 instance last week. I have not received any response from Amazon either. Of course I am not an EC2 customer, so I don't expect any consideration. But, if no response is forthcoming, I expect I won't be shopping at Amazon in the future for more pedestrian needs.
    • by vilain (127070) on Saturday April 17, 2010 @10:23PM (#31884904)
      Since this involved illegal computer access from an information provider (don't think Amazon's been classified as a telecom provider. yet.), why not involve the consumer fraud devision of the Washington State Attorney General. If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.
      • by LostCluster (625375) * on Sunday April 18, 2010 @12:37AM (#31885356)

        Bezos is a smart businessman, and as such most of his properties are separate corporations that are friends of Amazon, but maintain the ability to go bankrupt if they go wrong without bankrupting Amazon.com. Such a warrant might get the attention of EC2... but there's no way it'd stretch all the way to Amazon.com unless there was some proof of a shared resource being involved.

      • Re: (Score:3, Insightful)

        by Kaboom13 (235759)

        Because everyone knows the state attorney general is always eager to royally piss off the huge, multinational corporation with an army of lawyers who is headquartered in his state and contributes a massive amount of tax revenue and jobs to the local economy. Especially when the accusation comes from some people off the internet who aren't even in his jurisdiction and he is completely unqualified to even understand the nature of the attacks beyond "bad people doing bad things according to this guy....on the

        • by Rogerborg (306625)

          But as we're constantly being told, File Sharers == Hackers == Organized Crime == Drug Lords == Kiddie Pornographers == TEH TERRARISTS!!!!!1!!!

          How about we use that line of... "reasoning"... for good for once?

      • Re: (Score:3, Interesting)

        by thsths (31372)

        > If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.

        Interesting option. I would go one step further: since the attack has been committed from a virtual machine, it seems reasonable to confiscate for further analysis the virtual machine in question. Now this may not be as inconvenient for Amazon, but it also makes it more likely for them to cooperate.

        The point being that t

  • Cloud providers focus on scale and volume to make money; quality support doesn't scale well with volume. Why are they quiet? I wouldn't be surprised if they aren't even aware of any issues.
    • by Z34107 (925136) on Saturday April 17, 2010 @10:17PM (#31884874)

      The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses. Evidently Amazon's solution is "mediation" - you're supposed to talk to the hackers and work something out! They have zero interest in actually shutting them down.

      • by bill_mcgonigle (4333) * on Saturday April 17, 2010 @11:22PM (#31885078) Homepage Journal

        They have zero interest in actually shutting them down.

        Maybe if you flood-ping the offending IP from your attacked PBX their automated IDS will blackhole your IP.

      • by segedunum (883035)

        The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses.

        I'm a bit suspicious of the correspondence in the article for a number of reasons:

        1. This is nothing new. PBXs have been hit from places like China, and the first port of call is to blacklist the relevant IPs. If you don't like that then don't run the service. You can be hit by anyone from anywhere on the internet, and that's the first rule of running a service that is publicl
  • Doesn't surprise me. (Score:4, Interesting)

    by laughingcoyote (762272) <barghesthowl@NospAm.excite.com> on Saturday April 17, 2010 @10:19PM (#31884880) Journal

    I've been reporting an IM spammer for several weeks now an IM spammer hosting sites with a place called Flying Croc [flyingcroc.com]. I've even complained to their upstream provider [accretive-networks.com], but to no avail from either. Both of these have AUPs specifically prohibiting spamming from or spam being used to advertise sites on their network, but it seems the AUPs are only really intended to let the host disconnect someone they don't like, not actually to prevent their customers from launching an attack or spamming campaign. Or at least, the webcam sites being spammed for still trace right back to the same networks as they did.

    Maybe there needs to be some mandatory service level from companies above a certain size (a response from a human within X days, etc.). Service seems to be getting worse and worse across the board. And maybe a requirement that if said company says something, it damn well better back it up when called upon to.

    • by JWSmythe (446288) <jwsmythe@jws[ ]he.com ['myt' in gap]> on Saturday April 17, 2010 @11:34PM (#31885104) Homepage Journal

          I can understand (to a degree) when a problem isn't directly addressed back. Sure, you detected it, and it's perfectly possible 10,000 other people reported the same thing.

          Knowing a little about the business, and not having enough information from you, it may be possible that the destinations that you referenced had absolutely nothing to do with it. If the destination is an affiliate sales company (i.e., affiliates make a percentage of the sale that they sent), you may have simply bounced through a page that passed on their affiliate code and never noticed it.

          http://hotchick.spammer/ [hotchick.spammer] redirects to http://some.cam.site?id=9999 [cam.site] which then redirects to http://some.cam.site/ [cam.site] . Some affiliate companies take that seriously, and will forbid any sales revenue from going to that affiliate. Then again, plenty see it as "not their problem" and enjoy the extra profits where they weren't directly involved in the illegal activities.

          I've seen it where site X gets spammed for, which has links to Site Y, which then has the affiliate code for site Z. Go ahead and complain to Z, it won't do you a lot of good. It will do even less if site Z is responsible for over a million per year in revenue for their provider. If it's some schmuck with a $20/yr account, it'd probably be gone in minutes.

          If I was at some large hosting company, it'd be perfectly possible to get tens (or hundreds) of thousands of complaints like yours daily. Is it worth tracking those to resolution and getting back directly to every complainer, or simply adding your complaint to the list? Ok, I would, but most won't.

          I've been on the receiving end of complaints in the past. Most of the time, the complaints were misdirected anyways. "I got a spam". Sure you did. When it's reviewed, it's simply an email stating that their membership was expiring and if they wanted to continue service they should renew. Of hundreds of thousands of those sent, they'd generate maybe a few dozen complaints like that. Sometimes they were a hosted site where a newbie webmaster had put some mailto.cgi up, and folks were spamming through it. The upstream provider would send an email saying "We've received a bunch of these", and following them through we'd find the problem, and imply reply "It's been corrected". Corrected for us meant the cgi was disabled (like chmod 000) with an email to the webmaster about how not to be a dumbass.

          Looking at the "upstream provider" web site, it looks like they're just reselling someone elses services. I could be mistaken, but I've never heard of them, and couldn't find much interesting online.

         

      • Re: (Score:3, Insightful)

        Well, what's actually happening is spambots over MSN. If you tell it anything long enough (it can be "fuck you" or whatever you like), it'll tell you to "see me on cam" at a site. I set up a script to get the bots to give the link (since they all use the same one, that was relatively simple), and then tracerouted the site they were advertising.

        Ultimately, the site being advertised is the one responsible, in my opinion, and their host should hold them responsible. They're either directly encouraging people t

        • by JWSmythe (446288)

          You can email me and we can talk more about it in private, and see if we can hunt the source down a little better, or at least a better complaint route.

          I have absolutely nothing against screwing with spammers. The place I was at that I was referencing, we had a huge spam problem. It was fairly high profile, so was inundated with email spam constantly. We went as far as building our own dynamic blacklist, and even setting firewall rules against spammers. It helped that it se

  • by phantomcircuit (938963) on Saturday April 17, 2010 @10:20PM (#31884892) Homepage

    Basically someone used EC2 to launch dictionary attacks against SIP providers. This could have been done from data center or even by a botnet. He's just mad that amazon ignored him.

    This is nothing more than someone rying to improve security through wack-a-mole.

  • by IGnatius T Foobar (4328) on Saturday April 17, 2010 @10:27PM (#31884914) Homepage Journal
    There's an awful lot of spam and other abuse coming out of EC2. I'm not surprised to hear that it's being used as a source of SIP attacks as well. Amazon is quite irresponsible about handling abuse. As long as it isn't harming their systems, they wait until someone reports abuse, and then they terminate only the EC2 instance from which the attack originated. They make zero effort to thwart future attacks or prevent more abuse.

    Amazon is gaining a reputation as a house of ill repute, and they deserve it.
  • Amazon appears to have gone silent

    Can you hear me now?

  • De-Peer (Score:2, Troll)

    by Bruha (412869)

    I'm sure they'd take notice if Tier 1 ISP's threatened to De-Peer them.

    • by JWSmythe (446288)

      Won't happen, if they're paying the bills, and the bills are large. You really have to piss off the other Tier 1 providers to get cut off. Cogent got pretty good at that at least a couple times. :) I'd be willing to bet Amazon is actually paying their bills on time. Amazon appears to be well peered [fixedorbit.com], so it's not just one or two that'd have to drop them. The ones who didn't wouldn't mind the jump in revenue at all.

      • by mysidia (191772)

        De-Peering isn't the only option.

        Imagine if a bunch of Tier1 and Tier2 providers (who don't peer with them) adopted a policy of blocking all Amazon EC2 IP ranges at all border routers?

        • Re: (Score:3, Insightful)

          by EdIII (1114411) *

          Everybody running an IP-PBX could also just block the entire EC2 IP ranges too. It would be freakin hilarious if Spamhaus, Spamcop, or DenyHosts added their IP ranges. That would get some activity over at Amazon pretty gosh darn quick.

          However, in all seriousness, there is a better and easier solution for SIP security.

          1) Just block absolutely everybody and have a whitelist on what SIP packets can make it in. Add your VOIP providers and just open up RTP. If you have phones connecting over the Internet, an

          • by mysidia (191772)

            4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence

            Here's what happens: the PBX starts as something local only, with access from only intranet and only company IP addresses allowed. Probably rfc1918 private LAN IPs, maybe some external IP addresses of phones at other branches.

            PBX admin initially designs a closed system, and everything works great, and is secu

            • by EdIII (1114411) *

              I agree with pretty much everything you are saying, except......

              password management is expensive, and setting strong distinct passwords, and strong authnames for every phone is an expensive proposition).

              That is no longer true. Maybe in the past, and you would have a point about balancing everything out, but it is no longer the case now.

              My system swaps out the extension, context, authname, and secret automatically every couple of days via a cron job. Since my IP-PBX is database driven I don't need to deal

    • just as they'd also take notice if threatened with a nuclear strike. Each case is equally likely to occur.
  • Maybe it's Amazon's new long distance service, talk all you want, it's someone else's dime!
  • by dAzED1 (33635) on Saturday April 17, 2010 @10:38PM (#31884952) Homepage Journal

    Had I been hearing of lots of this sort of thing, I'd be less interested in giving them the benefit of the doubt. Since I haven't, I'd like to point out that often the type of behavior that Amazon is displaying right now is due to them working with law enforcement to catch the person...versus just shutting down the instances.

    • by HiThere (15173)

      You can guess that sort of thing, and it *MIGHT* be true.

      The problem is, that sounds an awful lot like the excuses that kept being given for the actions of various judges in the SCOx cases over the last seven years. And those were almost all eventually displayed to be wrong. So I have a hard time accepting that kind of excuse now.

      It's true, the police are not the courts. But actually the courts have a better reputation for justice than do the police. And over the last seven years I've become convinced t

      • by dAzED1 (33635)

        Not at all similar - SCO wasn't doing something for which they were criminally liable, they were doing something for which they were civilly liable. There aren't sting operations put in place by law enforcement to try to catch SCO and their FUD; law enforcement knows exactly where the SCO offices are.

        Also note that I prefaced it by saying I am only willing to offer them that benefit due to the fact that I haven't heard complaints about this sort of thing before. Note that Amazon has it in their best inter

  • Just block all IPs belonging to “cloud” servers. I mean, you know what kind of types use those services... the types that love management buzzwords. PHB types. And other people you wouldn’t exactly call “competent”... if you know what I mean.
    You want to avoid any contact with such types anyway. So you can only benefit from blocking such enterprisey consultant hatcheries.

    • by Pinhedd (1661735)
      Even blackholing a whole IP block wont necessarily halt attacks. The inbound UDP packet still has to be read and have its source address resolved to one that's been blackholed, assuming that it's a legitimate address to begin with.
      • by mysidia (191772)

        There is a piece of equipment that can handle this: it's called a router. And it can do all that in hardware at wire speed.

        • by giesen (820885)
          I think you're overly optimistic about the performance of most routers...
        • by Pinhedd (1661735)
          Yes I know what a router is, but routers also have limits as to what they are able to process in a given amount of time. Even if a router can switch a million packets a second a half decent botnet could still bring that to a crawl
          • by mysidia (191772)

            We're talking about SIP brute forcing here, not DoS. Most botnets are not large enough to emit a 1 million pps flood, especially not accidentally, while trying to brute force SIP registration.

            Most of the ones that are large enough, are unlikely to be used to create such a large flood against you. They got so large by avoiding detection, and sending too large of floods from a node results in detection.

            Large botnets get rented out to perform activities profitable to people who rent services from their o

    • Aaahh.. so the PHB types have got mod points. I see...

      Them being PHBs, they obviously can’t stand reality, and rather kill the messenger (me).

      Yay. Great job. Well done PHBs and in-a-castle-on-clouds-livers. Pat yourself on the back. Another problem “solved”.

      Let’s see who’s the one laughing at who, in the end. ^^

  • Nanu Nanu...
  • Why is Amazon allowing outgoing SIP connections? That's just asking for trouble. Amazon probably shouldn't allow instances to open outgoing connections to external IP addresses (outside Amazon's "cloud") at all unless the customer signs up for that service. Most don't need it, and the ones that do need to be monitored more closely.

    • I hope you are being sarcastic here right? I mean EC2 isn't only for simple web site hosting. There are tons of services that need outside access. SIP might be less common but it's still a possible that someone would use it for legal things like alerting a sysadmin that his EC2 is spamming the world. I could see a ACL service being provided by Amazon as a good idea but in the end, a lot of people will just open everything to make debugging simple.

      I do get a ton of EC2 scanning and ssh attacks on a VPS inst

  • That's why you use IAX2 every time it's possible, even better if it's listening on a non-standard port. If you receive only big-ass traffic (carrier2carrier) you are already expecting traffic from certain IPs, and so you drop anything else at the firewall. If you also receive small traffic (softphones, etc) you use a different server for that, with different policies. All accounts require a mandatory huge password (md5 of a random number will do) and they all have a very clean and small per-month and per-da

  • As a web host, like every other company of this type, we had our bunch of hackers getting-in (credit card and paypal account fraudsters/scammer mostly). As we record each IP used to register and systematically check what has been written in the registration form, many times, we have seen hackers registering with a proxy on another host. Each time we see this behavior, we get in touch with our peer, to let them know that we believe they've been hacked, and which IP (together with a timestamp) to investigate.
    • Be careful what you wish for. Governments would be worse.
      • Governments only care about so-called terrorists and pedophile to block your Internet for bad reasons, or restrict you from downloading. They don't care about the real issues that merchant are facing, and that the visa system has been totally broken for YEARS with nobody doing anything about this situation. So yes, I do wish them to stop silly laws like DMCA and the like, and start doing real police work to catch the fraudsters, and I can't see how it could be worse than today.
        • by cbreak (1575875)
          The Visa system is Visa's responsibility. I heard claims that it will fix itself due to the Power of the Free Market. Unfortunately, silly laws like the DMCA are here to stay. They have been created after all with the Power of the Free Market (the best laws you can buy for money).
  • Surprise, a company released a hosted service (in this case 'cloud computing') where they did not have well thought through security support. AWS is a hot bed of bad activity. So are many of the other cloud providers (to lesser degrees related to popularity of the service). It's going to get worse before it gets better so make sure your own infra is ready to deal with the attacks through blocking on the edge, host firewalls, IDS, whatever you deem is helpful for your setup ... and don't be afraid to block o
  • As I see it Amazon should be compelled to act. Failure for them to do so is in effect harboring a fugitive. While there are ways to reduce the impact of the attack at your firewall that does not overcome the fact that it consumes all of the targets available bandwidth. You can protect your systems, but you remain cutoff from the rest of the world. It's a classic DOS attack just moving to the voip application space. That this is not getting much attention is a travesty. Amazon needs to be a more responsibl
    • by randulo (1205838)
      FWIW, my email to Amazon (about losing my business) resulted in the boilerplate reply with a link to the complaint form.
  • Could they just not allow any of the cloud computing to even send out these specific attacks, or raise a flag to the admins what is going on, or are they helpless as their contracts bind them to allow whatever is going on to continue because they rented out those cycles and now can not touch them by law, because they are bound by contract?

  • Amazon has posted a security bulleting on their website addressing this issue: https://aws.amazon.com/security/ [amazon.com] Frank
    • by mjgraves (845151)
      This a very lame response to have taken 10 days for consideration. I think that if it happens again I would report it to Amazon at the very some time that I reported it to the FBI Cyber-crimes unit.

"Marriage is low down, but you spend the rest of your life paying for it." -- Baskins

Working...