SIP Attacks From Amazon EC2 Going Unaddressed 104
mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."
Not much new here for operators ... (Score:3, Informative)
This is nothing new. Hosted/PBXs have been getting blown up by dedicated/VPS/cloud/whatever for ages now, all attempting to call farawayistan or $asian_country. Drop at the edge, drop at the edge.
RK
Lazy? (Score:2)
You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?
Re: (Score:2)
Since Ec2 requires a credit card I'm sure they have already been paid. However, I've wondered how long til someone uses a fraudulent card to do something vicious.
Unless the attackers were not that bright and used their actual credit cards.
Re: (Score:2)
However, I've wondered how long til someone uses a fraudulent card to do something vicious.
It probably took about three hours after Amazon's EC2 launch before someone used a stolen card to do something nasty.
Re: (Score:2, Insightful)
Ah... so it might not be a "violation"? Their average customer has a legitimate reason for their EC2 VM to be sending a SIP packets to 2000 new IPs every minute, and 100000 distinct IP addresses every hour?
Re: (Score:1)
Re: (Score:1)
A legitimate PBX should have fairly little SIP control traffic, even when calls are open.
Well, most of the traffic should be RTP audio frames over UDP, or other frames tunneled over TCP.
So if they look at a traffic graph and see SIP usage is extremely high, and RTP / other traffic is basically nonexistent, then it is really quite suspicious.
Unless this is a huge telco's SBC, then they could (in theory) have a dedicated server for control, with separate servers for dealing with audio/media.
Re: (Score:1)
Re: (Score:2)
So if they look at a traffic graph and see SIP usage is extremely high, and RTP / other traffic is basically nonexistent, then it is really quite suspicious.
Isn't the point of REINVITE to do just this? As I understand it, that tells the endpoints to alter the call parameters, including making their own arrangements for handling RTP traffic so the server doesn't have to touch it.
Re: (Score:1)
It is possible to use REINVITE in that way. In most cases it is avoided.
It still wouldn't explain abnormally high outgoing SIP traffic, with the much smaller inbound amounts.
A legitimate SIP proxy that uses REINVITES to move the audio streams elsewhere should still have at least as much inbound control traffic as outbound traffic.
Legitimate phone calls don't come from the Ether, and as far as I know you can't currently buy PRI service or a POTS connection from Amazon for your EC2 instances.
Re:Lazy? (Score:5, Insightful)
You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?
Perhaps because the UDP source addresses are spoofed, and the goal of the attack is to trick AWS into shutting down legitimate paying customers' businesses?
Re: (Score:1)
If the addresses are indeed spoofed, amazon could monitor their own network for packets leaving with the spoofed IP address.
Re: (Score:2)
If the packets were spoofed, then what makes you think they even came from amazon's network?
Re: (Score:3, Informative)
Well, the story has the assumption that the attacks are coming from EC2. If they are indeed coming from EC2, then amazon could find the source.
But if the source is outside of amazon, with spoofed source addresses of ec2 instances that have nothing to do with the attacks... then well... that's another issue.
Re:Lazy? (Score:5, Informative)
At least one attack came from Amazon. I reported it, and Amazon has confirmed that it was their customer. The packets weren't spoofed, no attempt was made to hide their origin.
Re: (Score:3, Interesting)
Re: (Score:2)
But how do you know you aren't breaking legitimate traffic?
Re: (Score:1)
A different attack that really used address spoofing could cause the method I described to block legitimate traffic from a targeted site, but that would be a DoS, not a brute-force penetration
Re: (Score:1)
It is trivial for Amazon to confirm the report by actually observing the traffic themselves before they act.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Insightful)
This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.
The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.
If the ISP does nothing, the IPs will eventually get blacklisted, and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it
Re: (Score:2)
The problem is that it's difficult to block EC2 because they are so popular. It was discussed where I work, and the conclusion was that it was infeasible.
Re: (Score:2)
And Amazon asked if they could shout it down... I think they gave me a 24 hour warning...
Amazon EC2 Flood Attacks Continue (Score:1)
Re: (Score:2)
Because Amazon is getting paid for their services. Amazon isn't making a loss when criminal syndicates use their services nor are they providing it for free to those organizations. They're probably still pumping cash into the whole EC2 thing since "cloud computing" isn't really as popular and world-changing in most businesses as was projected 5 years ago so they could probably use the $.50/GB at whatever rate these people are pumping out.
Re:What is an SIP attack? (Score:4, Funny)
Re:What is an SIP attack? (Score:4, Informative)
An IP-PBX system is a PBX system on an IP network. ;)
A PBX is a call center through which all phone calls for a specific area are routed - like a building or a telco's service area. It stands for Private Branch Exchange.
Re: (Score:3, Informative)
So, by definition, a SIP attack is a use of a the protocol in an unauthorized way (trying to simulate an incoming call that doesn't exist, or trying to authenticate as an account that doesn't belong to you...) and even though there's no known theft of service yet, it still interferes with the legit users.
Re: (Score:2, Informative)
Re:What is an SIP attack? (Score:5, Informative)
SIP = Session Initiation Protocol, it's the protocol that sets up and tears down the session on a VOIP call. After the initial setup, VoIP uses RTP, or Real-time Transmission Protocol to transfer the call data packets, while SIP manages the connection itself (adding callers, changing addresses, adding video, etc).
SIP is application layer protocol that sits on top of a transport protocol like TCP or UDP, which sits on top of the IP network layer. If not encrypted (it often isn't), it is vulnerable to everything TCP is, including DOS attacks, man in the middle attacks, packet sniffing, and various hardware related attacks like buffer overflows and such. Even encrypted it is still vulnerable to the hardware related attacks and DOS attacks.
What you can do with these attacks is the same as what you'd do with TCP attacks: eavesdropping, call re-routing, disconnecting calls, SIP agent impersonation to place new calls, etc.
Re: (Score:1)
Re: (Score:2, Insightful)
When did slashdot stop being news for the nerds?
Re: (Score:2)
What's not nerdy or newsworthy about network attacks on an IP-PBX system?
Or are we to assume that because someone is a nerd they must know everything about everything? If that were the case, why would nerds need news?
Morpheus attacks from EC2 also (Score:3, Informative)
Re:Morpheus attacks from EC2 also (Score:4, Interesting)
Re:Morpheus attacks from EC2 also (Score:5, Insightful)
Bezos is a smart businessman, and as such most of his properties are separate corporations that are friends of Amazon, but maintain the ability to go bankrupt if they go wrong without bankrupting Amazon.com. Such a warrant might get the attention of EC2... but there's no way it'd stretch all the way to Amazon.com unless there was some proof of a shared resource being involved.
Re: (Score:3, Insightful)
Because everyone knows the state attorney general is always eager to royally piss off the huge, multinational corporation with an army of lawyers who is headquartered in his state and contributes a massive amount of tax revenue and jobs to the local economy. Especially when the accusation comes from some people off the internet who aren't even in his jurisdiction and he is completely unqualified to even understand the nature of the attacks beyond "bad people doing bad things according to this guy....on the
Re: (Score:2)
But as we're constantly being told, File Sharers == Hackers == Organized Crime == Drug Lords == Kiddie Pornographers == TEH TERRARISTS!!!!!1!!!
How about we use that line of... "reasoning"... for good for once?
Re: (Score:3, Interesting)
> If a bunch of AG people and sheriffs descend on Amazon's offices with search warrants for "Any and all computers, disks, hardware, etc.", I think Amazon will take notice pretty quickly.
Interesting option. I would go one step further: since the attack has been committed from a virtual machine, it seems reasonable to confiscate for further analysis the virtual machine in question. Now this may not be as inconvenient for Amazon, but it also makes it more likely for them to cooperate.
The point being that t
What do you expect? (Score:2)
Re:What do you expect? (Score:4, Informative)
The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses. Evidently Amazon's solution is "mediation" - you're supposed to talk to the hackers and work something out! They have zero interest in actually shutting them down.
Re:What do you expect? (Score:5, Interesting)
They have zero interest in actually shutting them down.
Maybe if you flood-ping the offending IP from your attacked PBX their automated IDS will blackhole your IP.
Re: (Score:2)
I'm a bit suspicious of the correspondence in the article for a number of reasons:
Doesn't surprise me. (Score:4, Interesting)
I've been reporting an IM spammer for several weeks now an IM spammer hosting sites with a place called Flying Croc [flyingcroc.com]. I've even complained to their upstream provider [accretive-networks.com], but to no avail from either. Both of these have AUPs specifically prohibiting spamming from or spam being used to advertise sites on their network, but it seems the AUPs are only really intended to let the host disconnect someone they don't like, not actually to prevent their customers from launching an attack or spamming campaign. Or at least, the webcam sites being spammed for still trace right back to the same networks as they did.
Maybe there needs to be some mandatory service level from companies above a certain size (a response from a human within X days, etc.). Service seems to be getting worse and worse across the board. And maybe a requirement that if said company says something, it damn well better back it up when called upon to.
Re:Doesn't surprise me. (Score:4, Informative)
I can understand (to a degree) when a problem isn't directly addressed back. Sure, you detected it, and it's perfectly possible 10,000 other people reported the same thing.
Knowing a little about the business, and not having enough information from you, it may be possible that the destinations that you referenced had absolutely nothing to do with it. If the destination is an affiliate sales company (i.e., affiliates make a percentage of the sale that they sent), you may have simply bounced through a page that passed on their affiliate code and never noticed it.
http://hotchick.spammer/ [hotchick.spammer] redirects to http://some.cam.site?id=9999 [cam.site] which then redirects to http://some.cam.site/ [cam.site] . Some affiliate companies take that seriously, and will forbid any sales revenue from going to that affiliate. Then again, plenty see it as "not their problem" and enjoy the extra profits where they weren't directly involved in the illegal activities.
I've seen it where site X gets spammed for, which has links to Site Y, which then has the affiliate code for site Z. Go ahead and complain to Z, it won't do you a lot of good. It will do even less if site Z is responsible for over a million per year in revenue for their provider. If it's some schmuck with a $20/yr account, it'd probably be gone in minutes.
If I was at some large hosting company, it'd be perfectly possible to get tens (or hundreds) of thousands of complaints like yours daily. Is it worth tracking those to resolution and getting back directly to every complainer, or simply adding your complaint to the list? Ok, I would, but most won't.
I've been on the receiving end of complaints in the past. Most of the time, the complaints were misdirected anyways. "I got a spam". Sure you did. When it's reviewed, it's simply an email stating that their membership was expiring and if they wanted to continue service they should renew. Of hundreds of thousands of those sent, they'd generate maybe a few dozen complaints like that. Sometimes they were a hosted site where a newbie webmaster had put some mailto.cgi up, and folks were spamming through it. The upstream provider would send an email saying "We've received a bunch of these", and following them through we'd find the problem, and imply reply "It's been corrected". Corrected for us meant the cgi was disabled (like chmod 000) with an email to the webmaster about how not to be a dumbass.
Looking at the "upstream provider" web site, it looks like they're just reselling someone elses services. I could be mistaken, but I've never heard of them, and couldn't find much interesting online.
Re: (Score:3, Insightful)
Well, what's actually happening is spambots over MSN. If you tell it anything long enough (it can be "fuck you" or whatever you like), it'll tell you to "see me on cam" at a site. I set up a script to get the bots to give the link (since they all use the same one, that was relatively simple), and then tracerouted the site they were advertising.
Ultimately, the site being advertised is the one responsible, in my opinion, and their host should hold them responsible. They're either directly encouraging people t
Re: (Score:2)
You can email me and we can talk more about it in private, and see if we can hunt the source down a little better, or at least a better complaint route.
I have absolutely nothing against screwing with spammers. The place I was at that I was referencing, we had a huge spam problem. It was fairly high profile, so was inundated with email spam constantly. We went as far as building our own dynamic blacklist, and even setting firewall rules against spammers. It helped that it se
*Yawn* Nothing of Interest Here (Score:3, Informative)
Basically someone used EC2 to launch dictionary attacks against SIP providers. This could have been done from data center or even by a botnet. He's just mad that amazon ignored him.
This is nothing more than someone rying to improve security through wack-a-mole.
Amazon is way too lax about abuse. (Score:4, Interesting)
Amazon is gaining a reputation as a house of ill repute, and they deserve it.
Re: (Score:1, Offtopic)
[Citation needed]
Re: (Score:2)
RTFA
The sound of silence (Score:1)
Amazon appears to have gone silent
Can you hear me now?
De-Peer (Score:2, Troll)
I'm sure they'd take notice if Tier 1 ISP's threatened to De-Peer them.
Re: (Score:2)
Won't happen, if they're paying the bills, and the bills are large. You really have to piss off the other Tier 1 providers to get cut off. Cogent got pretty good at that at least a couple times. :) I'd be willing to bet Amazon is actually paying their bills on time. Amazon appears to be well peered [fixedorbit.com], so it's not just one or two that'd have to drop them. The ones who didn't wouldn't mind the jump in revenue at all.
Re: (Score:1)
De-Peering isn't the only option.
Imagine if a bunch of Tier1 and Tier2 providers (who don't peer with them) adopted a policy of blocking all Amazon EC2 IP ranges at all border routers?
Re: (Score:3, Insightful)
Everybody running an IP-PBX could also just block the entire EC2 IP ranges too. It would be freakin hilarious if Spamhaus, Spamcop, or DenyHosts added their IP ranges. That would get some activity over at Amazon pretty gosh darn quick.
However, in all seriousness, there is a better and easier solution for SIP security.
1) Just block absolutely everybody and have a whitelist on what SIP packets can make it in. Add your VOIP providers and just open up RTP. If you have phones connecting over the Internet, an
Re: (Score:1)
4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence
Here's what happens: the PBX starts as something local only, with access from only intranet and only company IP addresses allowed. Probably rfc1918 private LAN IPs, maybe some external IP addresses of phones at other branches.
PBX admin initially designs a closed system, and everything works great, and is secu
Re: (Score:2)
I agree with pretty much everything you are saying, except......
That is no longer true. Maybe in the past, and you would have a point about balancing everything out, but it is no longer the case now.
My system swaps out the extension, context, authname, and secret automatically every couple of days via a cron job. Since my IP-PBX is database driven I don't need to deal
Re: (Score:1)
Maybe it's Amazon's new long distance service (Score:1)
benefit of the doubt, for now... (Score:3, Insightful)
Had I been hearing of lots of this sort of thing, I'd be less interested in giving them the benefit of the doubt. Since I haven't, I'd like to point out that often the type of behavior that Amazon is displaying right now is due to them working with law enforcement to catch the person...versus just shutting down the instances.
Re: (Score:2)
You can guess that sort of thing, and it *MIGHT* be true.
The problem is, that sounds an awful lot like the excuses that kept being given for the actions of various judges in the SCOx cases over the last seven years. And those were almost all eventually displayed to be wrong. So I have a hard time accepting that kind of excuse now.
It's true, the police are not the courts. But actually the courts have a better reputation for justice than do the police. And over the last seven years I've become convinced t
Re: (Score:2)
Not at all similar - SCO wasn't doing something for which they were criminally liable, they were doing something for which they were civilly liable. There aren't sting operations put in place by law enforcement to try to catch SCO and their FUD; law enforcement knows exactly where the SCO offices are.
Also note that I prefaced it by saying I am only willing to offer them that benefit due to the fact that I haven't heard complaints about this sort of thing before. Note that Amazon has it in their best inter
Simple and obvious solution: (Score:1, Troll)
Just block all IPs belonging to “cloud” servers. I mean, you know what kind of types use those services... the types that love management buzzwords. PHB types. And other people you wouldn’t exactly call “competent”... if you know what I mean.
You want to avoid any contact with such types anyway. So you can only benefit from blocking such enterprisey consultant hatcheries.
Re: (Score:1)
Re: (Score:1)
There is a piece of equipment that can handle this: it's called a router. And it can do all that in hardware at wire speed.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
We're talking about SIP brute forcing here, not DoS. Most botnets are not large enough to emit a 1 million pps flood, especially not accidentally, while trying to brute force SIP registration.
Most of the ones that are large enough, are unlikely to be used to create such a large flood against you. They got so large by avoiding detection, and sending too large of floods from a node results in detection.
Large botnets get rented out to perform activities profitable to people who rent services from their o
Re: (Score:2)
Aaahh.. so the PHB types have got mod points. I see...
Them being PHBs, they obviously can’t stand reality, and rather kill the messenger (me).
Yay. Great job. Well done PHBs and in-a-castle-on-clouds-livers. Pat yourself on the back. Another problem “solved”.
Let’s see who’s the one laughing at who, in the end. ^^
Nanu (Score:1)
Why is Amazon allowing outgoing SIP connections? (Score:2)
Why is Amazon allowing outgoing SIP connections? That's just asking for trouble. Amazon probably shouldn't allow instances to open outgoing connections to external IP addresses (outside Amazon's "cloud") at all unless the customer signs up for that service. Most don't need it, and the ones that do need to be monitored more closely.
Re: (Score:2)
I hope you are being sarcastic here right? I mean EC2 isn't only for simple web site hosting. There are tons of services that need outside access. SIP might be less common but it's still a possible that someone would use it for legal things like alerting a sysadmin that his EC2 is spamming the world. I could see a ACL service being provided by Amazon as a good idea but in the end, a lot of people will just open everything to make debugging simple.
I do get a ton of EC2 scanning and ssh attacks on a VPS inst
Re: (Score:2)
VoIP is a nasty market ... (Score:2)
That's why you use IAX2 every time it's possible, even better if it's listening on a non-standard port. If you receive only big-ass traffic (carrier2carrier) you are already expecting traffic from certain IPs, and so you drop anything else at the firewall. If you also receive small traffic (softphones, etc) you use a different server for that, with different policies. All accounts require a mandatory huge password (md5 of a random number will do) and they all have a very clean and small per-month and per-da
Reporting is useless (Score:2, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Not Rocket Surgery (Score:1)
Amazon should be compelled to remedy the attack (Score:1)
Re: (Score:1)
Could they just not... (Score:1)
Could they just not allow any of the cloud computing to even send out these specific attacks, or raise a flag to the admins what is going on, or are they helpless as their contracts bind them to allow whatever is going on to continue because they rented out those cycles and now can not touch them by law, because they are bound by contract?
Amazon responds (Score:1)
Re: (Score:1)