[asterisk-users] Being attacked by an Amazon EC2 ...

--[ UxBoD ]-- uxbod at splatnix.net
Sun Apr 11 04:31:17 CDT 2010


----- Original Message -----
> On Sun, 11 Apr 2010, David Quinton wrote:
> 
> > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> > <gordon+asterisk at drogon.net> wrote:
> >
> >> Just a "heads-up" ... my home asterisk server is being flooded by
> >> someone from IP 184.73.17.150 which is an Amazon EC2 instance by
> >> the looks of it -
> >> they're trying to send SIP subscribes to one account - and they're
> >> flooding the requests in - it's averaging some 600Kbits/sec of
> >> incoming
> >> UDP data or about 200 a second )-:
> >>
> >> This is much worse than anything else I've seen.
> >
> > Same her but 184.73.17.122.
> 
> Ah, so not just me then. Looks like someone is (ab)using EC2 to try to
> hack peoples systems, and they're not doing it nicely. 200 SIP
> registrations a second was enough to have a big impact on my 500MHz
> system.
> 
> > Look what they did to my latency, Gordon:-
> > http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png
> 
> Oddly enough my latency wasn't being affected at all - however what I
> was seeing was my ADSL router being cripped with 200 packets a second
> in & out
> - to the extent that something would go "bang" inside it and it would
> drop the PPPoA session and then re-start. This was an old Draytek 2600
> - I
> replaced it with a new Draytek 2820 and it was them fine.
> 
> > I've had bookmarks to Fail2Ban links on my desktop for a year now.
> > Guess I'll have to do something about it.
> 
> Fail2ban needs python which I won't run on a PBX, however there are
> many iptables runes to help anyway without the need to trawl through
> log-files. However, I've blocked it in the draytek aynway.
> 
> The issue for me (and I suspect others) is that while we can firewall
> it, the data is still coming down the wires and for those of us who
> pay per
> byte transfered (or have fixed monthly caps on their broadband
> services) it could end up costing money or getting you cut-off.
> 
> > If, hypothetically, I'd put that IP into hosts.deny - would it have
> > stopped them?
> 
> /etc/hosts.deny ? No. That would not have stopped it. Although I've
> just checked it might - if it's using tcp-wrappers and there is a post
> about it
> 
> http://www.mail-archive.com/asterisk-dev@lists.digium.com/msg36772.html
> 
> but I don't know if it's implemented yet.
> 
> I emailled Amazon on their ec2-abuse address yesterday, but have not
> had a
> reply. My bet is that as long as they get the money, they don't care.
> 
> My broadband ISP is slow to react to support emails of this nature and
> I'm not sure they would block it anyway. I know my upstream hosting
> ISP would
> block it at their borders immediately if I asked, but fortunately
> they've not attacked them - yet.
> 
> It's still going on - and has been since 6am yesterday - that's now 26
> hours.
> 
> Gordon
> 
Gordon, I have one a while ago hitting my system from EC2.  Like yourself I did report it though it took about 24 hours for them to get back to me.  They asked for proof that the attack was from one of their IP spaces.  I sent the necessary information and the attack did stop.  It would be nice if they reacted a bit quicker; though I guess it depends on how many people are reporting issues.

In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would monitor for failed SIP registrations. If a few occurred within a short space of time the Active Response kicks in and blocks the IP address using IPTables.
-- 
Thanks, Phil




More information about the asterisk-users mailing list