[asterisk-users] Being attacked by an Amazon EC2 ...

Gordon Henderson gordon+asterisk at drogon.net
Sun Apr 11 02:09:02 CDT 2010


On Sun, 11 Apr 2010, David Quinton wrote:

> On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> <gordon+asterisk at drogon.net> wrote:
>
>> Just a "heads-up" ... my home asterisk server is being flooded by someone
>> from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
>> they're trying to send SIP subscribes to one account - and they're
>> flooding the requests in - it's averaging some 600Kbits/sec of incoming
>> UDP data or about 200 a second )-:
>>
>> This is much worse than anything else I've seen.
>
> Same her but 184.73.17.122.

Ah, so not just me then. Looks like someone is (ab)using EC2 to try to 
hack peoples systems, and they're not doing it nicely. 200 SIP 
registrations a second was enough to have a big impact on my 500MHz 
system.

> Look what they did to my latency, Gordon:-
> http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png

Oddly enough my latency wasn't being affected at all - however what I was 
seeing was my ADSL router being cripped with 200 packets a second in & out 
- to the extent that something would go "bang" inside it and it would 
drop the PPPoA session and then re-start. This was an old Draytek 2600 - I 
replaced it with a new Draytek 2820 and it was them fine.

> I've had bookmarks to Fail2Ban links on my desktop for a year now.
> Guess I'll have to do something about it.

Fail2ban needs python which I won't run on a PBX, however there are many 
iptables runes to help anyway without the need to trawl through log-files. 
However, I've blocked it in the draytek aynway.

The issue for me (and I suspect others) is that while we can firewall it, 
the data is still coming down the wires and for those of us who pay per 
byte transfered (or have fixed monthly caps on their broadband services) 
it could end up costing money or getting you cut-off.

> If, hypothetically, I'd put that IP into hosts.deny - would it have
> stopped them?

/etc/hosts.deny ? No. That would not have stopped it. Although I've just 
checked it might - if it's using tcp-wrappers and there is a post about it

   http://www.mail-archive.com/asterisk-dev@lists.digium.com/msg36772.html

but I don't know if it's implemented yet.

I emailled Amazon on their ec2-abuse address yesterday, but have not had a 
reply. My bet is that as long as they get the money, they don't care.

My broadband ISP is slow to react to support emails of this nature and I'm 
not sure they would block it anyway. I know my upstream hosting ISP would 
block it at their borders immediately if I asked, but fortunately they've 
not attacked them - yet.

It's still going on - and has been since 6am yesterday - that's now 26 
hours.

Gordon



More information about the asterisk-users mailing list