[asterisk-users] Being attacked by an Amazon EC2 ...

Zeeshan Zakaria zishanov at gmail.com
Sun Apr 11 07:00:28 CDT 2010 

My experience is that as long as the hackers are getting any kind of
response from your server, they'll keep their attack on, in a hope that
they'll get into your system sooner or later. After all it is just some
computers doing the work for them, no human is phycally getting tired here.
This is why when you block them in your iptables, and they stop getting
response from your end, i.e. no ping reply, no sip response, nothing
basically, then they eventually take their attack somewhere else probably
because they (or their hack attempt software) either assume that the ip they
were attacking is no longer valid for the attack or the user has taken
enough security measures that attacking him is not worth the effort.

On the contrary, my experience, if you don't block them, eventually attacks
increase. Probably they let their other hacker friends know too that your
server is a good candidate for hack attempt.

Obvoiously its only the ISPs who can truly stop such attacks by blocking
them at their routers. If the hackers decide to keep bugging you,
unfortunately nothing can you do to protect your bandwdith waste.

But I wonder if one's router doesn't respond back, e.g. it is physically
off, and someone is doing such an attack, do the ISPs still consider it
bandwidth usage?

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-11 7:41 AM, "Gordon Henderson"
<gordon+asterisk at drogon.net<gordon%2Basterisk at drogon.net>>
wrote:

On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote:

> In the end I set up OSSEC (http://www.ossec.net) and wr...
Cheers - but it's not blocking that's the real issue, that's trivial in my
router or on the PBX, it's that my monthly ADSL data cap is being used up
and my ISP is not responding (actually, they might if I phone them, but
it's not desperate right now as I'm unlimited at the weekend), and neither
is Amazon.

My currently monthly peak-time cap is 45GB - 8am to 8pm and they seem to
be eating up some 7-10GB a day... So I might actually be OK and can just
"weather it out", but it's still annoying.

I'm tempted to just block all of Amazons EC2 and say to hell with them.
Shouldn't be too hard to track them down - eg. from whois on that IP:

NetRange:   72.44.32.0 - 72.44.63.255
CIDR:       72.44.32.0/19
NetName:    AMAZON-EC2-2

NetRange:   75.101.128.0 - 75.101.255.255
CIDR:       75.101.128.0/17
NetName:    AMAZON-EC2-4

NetRange:   67.202.0.0 - 67.202.63.255
CIDR:       67.202.0.0/18
NetName:    AMAZON-EC2-3

NetRange:   174.129.0.0 - 174.129.255.255
CIDR:       174.129.0.0/16
NetName:    AMAZON-EC2-5

NetRange:   204.236.128.0 - 204.236.255.255
CIDR:       204.236.128.0/17
NetName:    AMAZON-EC2-6

NetRange:   184.72.0.0 - 184.73.255.255
CIDR:       184.72.0.0/15
NetName:    AMAZON-EC2-7

(so much for running out of ipv4 address space when amazon has millions)

And there are well knowing published lists from all chinese hosts, etc.
too. Easy enough too cook up iptables to allow data from sites I connect
out to, but block all incoming new connections.

Gordon


-- 
_____________________________________________________________________
-- Bandwidth and Colocati...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100411/e11e1845/attachment.htm

More information about the asterisk-users mailing list