[asterisk-users] Being attacked by an Amazon EC2 ...
mark at msitgroup.ltd.uk
Sun Apr 11 10:05:53 CDT 2010
--[ UxBoD ]-- <uxbod <at> splatnix.net> writes:
> ----- Original Message -----
> > On Sun, 11 Apr 2010, David Quinton wrote:
> > > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> > > <gordon+asterisk <at> drogon.net> wrote:
> > >
> > >> Just a "heads-up" ... my home asterisk server is being flooded by
> > >> someone from IP 188.8.131.52 which is an Amazon EC2 instance by
> > >> the looks of it -
> > >> they're trying to send SIP subscribes to one account - and they're
> > >> flooding the requests in - it's averaging some 600Kbits/sec of
> > >> incoming
> > >> UDP data or about 200 a second )-:
> > >>
> > >> This is much worse than anything else I've seen.
> > >
> > > Same her but 184.108.40.206.
> > Ah, so not just me then. Looks like someone is (ab)using EC2 to try to
> > hack peoples systems, and they're not doing it nicely. 200 SIP
> > registrations a second was enough to have a big impact on my 500MHz
> > system.
> > > Look what they did to my latency, Gordon:-
> > > http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png
> > Oddly enough my latency wasn't being affected at all - however what I
> > was seeing was my ADSL router being cripped with 200 packets a second
> > in & out
> > - to the extent that something would go "bang" inside it and it would
> > drop the PPPoA session and then re-start. This was an old Draytek 2600
> > - I
> > replaced it with a new Draytek 2820 and it was them fine.
> > > I've had bookmarks to Fail2Ban links on my desktop for a year now.
> > > Guess I'll have to do something about it.
> > Fail2ban needs python which I won't run on a PBX, however there are
> > many iptables runes to help anyway without the need to trawl through
> > log-files. However, I've blocked it in the draytek aynway.
> > The issue for me (and I suspect others) is that while we can firewall
> > it, the data is still coming down the wires and for those of us who
> > pay per
> > byte transfered (or have fixed monthly caps on their broadband
> > services) it could end up costing money or getting you cut-off.
> > > If, hypothetically, I'd put that IP into hosts.deny - would it have
> > > stopped them?
> > /etc/hosts.deny ? No. That would not have stopped it. Although I've
> > just checked it might - if it's using tcp-wrappers and there is a post
> > about it
> > http://www.mail-archive.com/asterisk-dev <at>
> > but I don't know if it's implemented yet.
> > I emailled Amazon on their ec2-abuse address yesterday, but have not
> > had a
> > reply. My bet is that as long as they get the money, they don't care.
> > My broadband ISP is slow to react to support emails of this nature and
> > I'm not sure they would block it anyway. I know my upstream hosting
> > ISP would
> > block it at their borders immediately if I asked, but fortunately
> > they've not attacked them - yet.
> > It's still going on - and has been since 6am yesterday - that's now 26
> > hours.
> > Gordon
> Gordon, I have one a while ago hitting my system from EC2. Like yourself I
did report it though it took about 24
> hours for them to get back to me. They asked for proof that the attack was
from one of their IP spaces. I sent
> the necessary information and the attack did stop. It would be nice if they
reacted a bit quicker; though I
> guess it depends on how many people are reporting issues.
> In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would
monitor for failed SIP
> registrations. If a few occurred within a short space of time the Active
Response kicks in and blocks the IP
> address using IPTables.
Same this end from 220.127.116.11.
Use this little piece of iptables magic to block the whole of Amazon's EC2 ip-
iptables -A INPUT -m iprange --src-range 18.104.22.168-22.214.171.124 -j DROP
iptables -A INPUT -m iprange --src-range 126.96.36.199-188.8.131.52 -j DROP
iptables -A INPUT -m iprange --src-range 184.108.40.206-220.127.116.11 -j DROP
iptables -A INPUT -m iprange --src-range 18.104.22.168-22.214.171.124 -j DROP
iptables -A INPUT -m iprange --src-range 126.96.36.199-188.8.131.52 -j DROP
iptables -A INPUT -m iprange --src-range 184.108.40.206-220.127.116.11 -j DROP
iptables -A INPUT -m iprange --src-range 18.104.22.168-22.214.171.124 -j DROP
iptables -A INPUT -m iprange --src-range 126.96.36.199-188.8.131.52 -j DROP
iptables -A INPUT -m iprange --src-range 184.108.40.206-220.127.116.11 -j DROP
iptables -A INPUT -m iprange --src-range 18.104.22.168-22.214.171.124 -j DROP
service iptables save
This sorts it out in the short-term until Amazon realise their service is
being utilised by arseholes.
More information about the asterisk-users