[asterisk-users] Being attacked by an Amazon EC2 ...

Mark Smith mark at msitgroup.ltd.uk
Sun Apr 11 10:05:53 CDT 2010


--[ UxBoD ]-- <uxbod <at> splatnix.net> writes:

> 
> ----- Original Message -----
> > On Sun, 11 Apr 2010, David Quinton wrote:
> > 
> > > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> > > <gordon+asterisk <at> drogon.net> wrote:
> > >
> > >> Just a "heads-up" ... my home asterisk server is being flooded by
> > >> someone from IP 184.73.17.150 which is an Amazon EC2 instance by
> > >> the looks of it -
> > >> they're trying to send SIP subscribes to one account - and they're
> > >> flooding the requests in - it's averaging some 600Kbits/sec of
> > >> incoming
> > >> UDP data or about 200 a second )-:
> > >>
> > >> This is much worse than anything else I've seen.
> > >
> > > Same her but 184.73.17.122.
> > 
> > Ah, so not just me then. Looks like someone is (ab)using EC2 to try to
> > hack peoples systems, and they're not doing it nicely. 200 SIP
> > registrations a second was enough to have a big impact on my 500MHz
> > system.
> > 
> > > Look what they did to my latency, Gordon:-
> > > http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png
> > 
> > Oddly enough my latency wasn't being affected at all - however what I
> > was seeing was my ADSL router being cripped with 200 packets a second
> > in & out
> > - to the extent that something would go "bang" inside it and it would
> > drop the PPPoA session and then re-start. This was an old Draytek 2600
> > - I
> > replaced it with a new Draytek 2820 and it was them fine.
> > 
> > > I've had bookmarks to Fail2Ban links on my desktop for a year now.
> > > Guess I'll have to do something about it.
> > 
> > Fail2ban needs python which I won't run on a PBX, however there are
> > many iptables runes to help anyway without the need to trawl through
> > log-files. However, I've blocked it in the draytek aynway.
> > 
> > The issue for me (and I suspect others) is that while we can firewall
> > it, the data is still coming down the wires and for those of us who
> > pay per
> > byte transfered (or have fixed monthly caps on their broadband
> > services) it could end up costing money or getting you cut-off.
> > 
> > > If, hypothetically, I'd put that IP into hosts.deny - would it have
> > > stopped them?
> > 
> > /etc/hosts.deny ? No. That would not have stopped it. Although I've
> > just checked it might - if it's using tcp-wrappers and there is a post
> > about it
> > 
> > http://www.mail-archive.com/asterisk-dev <at> 
lists.digium.com/msg36772.html
> > 
> > but I don't know if it's implemented yet.
> > 
> > I emailled Amazon on their ec2-abuse address yesterday, but have not
> > had a
> > reply. My bet is that as long as they get the money, they don't care.
> > 
> > My broadband ISP is slow to react to support emails of this nature and
> > I'm not sure they would block it anyway. I know my upstream hosting
> > ISP would
> > block it at their borders immediately if I asked, but fortunately
> > they've not attacked them - yet.
> > 
> > It's still going on - and has been since 6am yesterday - that's now 26
> > hours.
> > 
> > Gordon
> > 
> Gordon, I have one a while ago hitting my system from EC2.  Like yourself I 
did report it though it took about 24
> hours for them to get back to me.  They asked for proof that the attack was 
from one of their IP spaces.  I sent
> the necessary information and the attack did stop.  It would be nice if they 
reacted a bit quicker; though I
> guess it depends on how many people are reporting issues.
> 
> In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would 
monitor for failed SIP
> registrations. If a few occurred within a short space of time the Active 
Response kicks in and blocks the IP
> address using IPTables.


Same this end from 184.73.17.150.

Use this little piece of iptables magic to block the whole of Amazon's EC2 ip-
range.

iptables -F
iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP
iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP
iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP
iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP
iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP
iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP
iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP
iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP
iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP
iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP
service iptables save

This sorts it out in the short-term until Amazon realise their service is 
being utilised by arseholes.






More information about the asterisk-users mailing list