[asterisk-users] Being attacked by an Amazon EC2 ...
Gordon Henderson
gordon+asterisk at drogon.net
Sun Apr 11 02:09:02 CDT 2010
On Sun, 11 Apr 2010, David Quinton wrote:
> On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> <gordon+asterisk at drogon.net> wrote:
>
>> Just a "heads-up" ... my home asterisk server is being flooded by someone
>> from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
>> they're trying to send SIP subscribes to one account - and they're
>> flooding the requests in - it's averaging some 600Kbits/sec of incoming
>> UDP data or about 200 a second )-:
>>
>> This is much worse than anything else I've seen.
>
> Same her but 184.73.17.122.
Ah, so not just me then. Looks like someone is (ab)using EC2 to try to
hack peoples systems, and they're not doing it nicely. 200 SIP
registrations a second was enough to have a big impact on my 500MHz
system.
> Look what they did to my latency, Gordon:-
> http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png
Oddly enough my latency wasn't being affected at all - however what I was
seeing was my ADSL router being cripped with 200 packets a second in & out
- to the extent that something would go "bang" inside it and it would
drop the PPPoA session and then re-start. This was an old Draytek 2600 - I
replaced it with a new Draytek 2820 and it was them fine.
> I've had bookmarks to Fail2Ban links on my desktop for a year now.
> Guess I'll have to do something about it.
Fail2ban needs python which I won't run on a PBX, however there are many
iptables runes to help anyway without the need to trawl through log-files.
However, I've blocked it in the draytek aynway.
The issue for me (and I suspect others) is that while we can firewall it,
the data is still coming down the wires and for those of us who pay per
byte transfered (or have fixed monthly caps on their broadband services)
it could end up costing money or getting you cut-off.
> If, hypothetically, I'd put that IP into hosts.deny - would it have
> stopped them?
/etc/hosts.deny ? No. That would not have stopped it. Although I've just
checked it might - if it's using tcp-wrappers and there is a post about it
http://www.mail-archive.com/asterisk-dev@lists.digium.com/msg36772.html
but I don't know if it's implemented yet.
I emailled Amazon on their ec2-abuse address yesterday, but have not had a
reply. My bet is that as long as they get the money, they don't care.
My broadband ISP is slow to react to support emails of this nature and I'm
not sure they would block it anyway. I know my upstream hosting ISP would
block it at their borders immediately if I asked, but fortunately they've
not attacked them - yet.
It's still going on - and has been since 6am yesterday - that's now 26
hours.
Gordon
More information about the asterisk-users
mailing list