[asterisk-users] Being attacked by an Amazon EC2

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Apr 13 03:37:06 CDT 2010 

On Mon, Apr 12, 2010 at 04:58:42PM -0500, JR Richardson wrote:
> >>> Perhaps if there was a Asterisk RBL we could all contribute to; for
> >>> which we could then hook into and drop any connection where a
> >>> source IP is listed ? -- Thanks, Phil
> >>>
> >>
> >> I love the idea of a RBL... count me in for contributing.
> >>
> >> Especially considering the ridiculous response I received from
> >> Amazon. (Basically told me to submit host, destination, port, proto,
> >> and log... which of course was already included in the original
> >> complaint)
> >
> > I don't think anyone else brought up the Spamhaus DROP project.  It's a
> > blacklist of IP addresses and address ranges which are known to ONLY be
> > used for malicious purposes.
> >
> > http://www.spamhaus.org/drop/

This is for really bad spammers. In our case it would be used to block
Amazon AWS in the (completely unlikely!) case that they would do nothing
about those cases.

> >
> > We could establish something similar to that for VOIP attacks.  It may
> > not be exactly a trivial system to maintain such a list. (removing IP's
> > after X amount of time, disputing false claims etc).  Maybe someone
> > could contact spamhaus to create a list for VOIP since they seem to have
> > a nice system in place?
> >
> Hi All, good discussion, similar to ones we had a year or so ago.  The
> RBL concept is valid, at least to get a repository going that list
> malicious activity specific to SIP attacks.
> n
> I worked with Project Honeypot guys for a while, they are more than
> willing to assist, as they already have the backend work done for a
> clearing house identifying hackers.  The biggest issue we had a year
> ago was to create the mechanism in asterisk to push valid log messages
> out to the database and then determine what to do with that data?
> 
> I tried to bridge the gap between a few Asterisk developers and the
> Honeypot developers, ultimately the project stalled and I got busy
> with other matters.  If anyone here would like to pick up the torch
> and move this along, I can certainly provide info on how far along we
> got and contact info for the parties involved.
> 
> Please contact me if you have time to work on this and are interested.
>  I'm sure the Project Honeypot guys will be willing to pick this
> project back up and work on it.

I've been bitten too many times by over-jelous anti-spam black lists.
It's easy to get in. More difficult to be removed. And heck, I can
easily get set up a few servers in Amazon which will generate faked logs
of "attacks" from your server, if I want to shut your phone system for a
couple of days.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list