SIP Attacks From Amazon EC2 Going Unaddressed

mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."

Not much new here for operators ...

[rkohutek]

This is nothing new. Hosted/PBXs have been getting blown up by dedicated/VPS/cloud/whatever for ages now, all attempting to call farawayistan or $asian_country. Drop at the edge, drop at the edge.

RK

Morpheus attacks from EC2 also

[GaryOlson]

I reported a Morpheus scanner running on an EC2 instance last week. I have not received any response from Amazon either. Of course I am not an EC2 customer, so I don't expect any consideration. But, if no response is forthcoming, I expect I won't be shopping at Amazon in the future for more pedestrian needs.

Re:What is an SIP attack?

[imjustmatthew]

Actually, TFA didn't say exactly, but it sounds like these SIP attacks are brute-force attempts to authenticate and initiate a session. Presumably they want to spam-call numbers on PBX without paying long distance.

Re:What do you expect?

[Z34107]

The complainant in the article actually e-mailed and called Amazon several times, and got several less-than-satisfactory responses. Evidently Amazon's solution is "mediation" - you're supposed to talk to the hackers and work something out! They have zero interest in actually shutting them down.

*Yawn* Nothing of Interest Here

[phantomcircuit]

Basically someone used EC2 to launch dictionary attacks against SIP providers. This could have been done from data center or even by a botnet. He's just mad that amazon ignored him.

This is nothing more than someone rying to improve security through wack-a-mole.

Re:What is an SIP attack?

[Bigjeff5]

SIP = Session Initiation Protocol, it's the protocol that sets up and tears down the session on a VOIP call. After the initial setup, VoIP uses RTP, or Real-time Transmission Protocol to transfer the call data packets, while SIP manages the connection itself (adding callers, changing addresses, adding video, etc).

SIP is application layer protocol that sits on top of a transport protocol like TCP or UDP, which sits on top of the IP network layer. If not encrypted (it often isn't), it is vulnerable to everything TCP is, including DOS attacks, man in the middle attacks, packet sniffing, and various hardware related attacks like buffer overflows and such. Even encrypted it is still vulnerable to the hardware related attacks and DOS attacks.

What you can do with these attacks is the same as what you'd do with TCP attacks: eavesdropping, call re-routing, disconnecting calls, SIP agent impersonation to place new calls, etc.

Re:What is an SIP attack?

[Bigjeff5]

An IP-PBX system is a PBX system on an IP network. ;)

A PBX is a call center through which all phone calls for a specific area are routed - like a building or a telco's service area. It stands for Private Branch Exchange.

Re:Lazy?

[kobaz]

Well, the story has the assumption that the attacks are coming from EC2. If they are indeed coming from EC2, then amazon could find the source.

But if the source is outside of amazon, with spoofed source addresses of ec2 instances that have nothing to do with the attacks... then well... that's another issue.

Re:Doesn't surprise me.

[JWSmythe]

    I can understand (to a degree) when a problem isn't directly addressed back. Sure, you detected it, and it's perfectly possible 10,000 other people reported the same thing.

    Knowing a little about the business, and not having enough information from you, it may be possible that the destinations that you referenced had absolutely nothing to do with it. If the destination is an affiliate sales company (i.e., affiliates make a percentage of the sale that they sent), you may have simply bounced through a page that passed on their affiliate code and never noticed it.

    http://hotchick.spammer/ [hotchick.spammer] redirects to http://some.cam.site?id=9999 [cam.site] which then redirects to http://some.cam.site/ [cam.site] . Some affiliate companies take that seriously, and will forbid any sales revenue from going to that affiliate. Then again, plenty see it as "not their problem" and enjoy the extra profits where they weren't directly involved in the illegal activities.

    I've seen it where site X gets spammed for, which has links to Site Y, which then has the affiliate code for site Z. Go ahead and complain to Z, it won't do you a lot of good. It will do even less if site Z is responsible for over a million per year in revenue for their provider. If it's some schmuck with a $20/yr account, it'd probably be gone in minutes.

    If I was at some large hosting company, it'd be perfectly possible to get tens (or hundreds) of thousands of complaints like yours daily. Is it worth tracking those to resolution and getting back directly to every complainer, or simply adding your complaint to the list? Ok, I would, but most won't.

    I've been on the receiving end of complaints in the past. Most of the time, the complaints were misdirected anyways. "I got a spam". Sure you did. When it's reviewed, it's simply an email stating that their membership was expiring and if they wanted to continue service they should renew. Of hundreds of thousands of those sent, they'd generate maybe a few dozen complaints like that. Sometimes they were a hosted site where a newbie webmaster had put some mailto.cgi up, and folks were spamming through it. The upstream provider would send an email saying "We've received a bunch of these", and following them through we'd find the problem, and imply reply "It's been corrected". Corrected for us meant the cgi was disabled (like chmod 000) with an email to the webmaster about how not to be a dumbass.

    Looking at the "upstream provider" web site, it looks like they're just reselling someone elses services. I could be mistaken, but I've never heard of them, and couldn't find much interesting online.

   

Re:What is an SIP attack?

[LostCluster]

So, by definition, a SIP attack is a use of a the protocol in an unauthorized way (trying to simulate an incoming call that doesn't exist, or trying to authenticate as an account that doesn't belong to you...) and even though there's no known theft of service yet, it still interferes with the legit users.

Re:Lazy?

[amorsen]

At least one attack came from Amazon. I reported it, and Amazon has confirmed that it was their customer. The packets weren't spoofed, no attempt was made to hide their origin.

Reporting is useless

[GPLHost-Thomas]

As a web host, like every other company of this type, we had our bunch of hackers getting-in (credit card and paypal account fraudsters/scammer mostly). As we record each IP used to register and systematically check what has been written in the registration form, many times, we have seen hackers registering with a proxy on another host. Each time we see this behavior, we get in touch with our peer, to let them know that we believe they've been hacked, and which IP (together with a timestamp) to investigate.

Very few times, we received such report. Very few times, we received an answer from these host we warned. I believe that we also sent such email at least once to Amazon and didn't get an answer.

I've come to the conclusion that, unfortunately, it is useless to do reporting (even though we will still continue to do so as this is a mater of ethic as well). It has been YEARS like this, and governments don't seem to care anyway.