SIP Attacks From Amazon EC2 Going Unaddressed 104
mjgraves writes "Over the past week a number of IP-PBX systems have been suffering SIP attacks from hosts in the Amazon EC2 cloud. At least a dozen known attacks have been reported to Amazon, which has been surprisingly quiet about the matter. The issue has been well documented by one of the attack victims on his blog. The matter was also discussed on the April 16th issue of the VoIP Users Conference (podcast available at the link; EC2 segment begins around 3:30). Amazon appears to have gone silent on the matter even as the attacks are ongoing. This is completely irresponsible behavior from a such a hosting company, which should be acting to take down the attacker in their midst."
Re:Lazy? (Score:5, Insightful)
You would think it would be pretty easily for Amazon to find and shut down the attackers... why haven't they done so already?
Perhaps because the UDP source addresses are spoofed, and the goal of the attack is to trick AWS into shutting down legitimate paying customers' businesses?
benefit of the doubt, for now... (Score:3, Insightful)
Had I been hearing of lots of this sort of thing, I'd be less interested in giving them the benefit of the doubt. Since I haven't, I'd like to point out that often the type of behavior that Amazon is displaying right now is due to them working with law enforcement to catch the person...versus just shutting down the instances.
Re:What is an SIP attack? (Score:2, Insightful)
When did slashdot stop being news for the nerds?
Re:Lazy? (Score:2, Insightful)
Ah... so it might not be a "violation"? Their average customer has a legitimate reason for their EC2 VM to be sending a SIP packets to 2000 new IPs every minute, and 100000 distinct IP addresses every hour?
Re:Lazy? (Score:3, Insightful)
This is basically like an ISP arguing they are not responsible for spam sent by their downstream customers they provide internet connectivity to.
The IP addresses belong to the ISP, so they are ultimately responsible for handling any report of abuse in terms of network traffic from those IPs.
If the ISP does nothing, the IPs will eventually get blacklisted, and most blacklists will make the blacklist entry larger and larger until the ISP responds... e.g. start with blacklisting just that IP, then if it continues, blacklist the entire /24, then if it continues, blacklist that entire RIR registered IP block.
As last step... blacklist the entire AS number.
Amazon EC2 is in the same situation here. If they don't respond to serious abuse complaints like this, transit providers are going to start blackholing EC2 IPs at their border.
Eventually, this could make EC2 useless....
Re:Doesn't surprise me. (Score:3, Insightful)
Well, what's actually happening is spambots over MSN. If you tell it anything long enough (it can be "fuck you" or whatever you like), it'll tell you to "see me on cam" at a site. I set up a script to get the bots to give the link (since they all use the same one, that was relatively simple), and then tracerouted the site they were advertising.
Ultimately, the site being advertised is the one responsible, in my opinion, and their host should hold them responsible. They're either directly encouraging people to spam, or at the very least running "affiliate" programs in such a manner that people are encouraged to do so and do not face consequences.
I don't think that I made a mistake as to where the hosting was, since I used the exact link the bot gives, but anything's possible. They never denied it's theirs, though.
Thanks for the insight into the situation, though-I've never myself been on the other end of that. When you get 10-30 IM spams a day, though, it sure gets frustrating pretty damn quickly, especially since I can't just ignore IM-if it is something important, I've got to respond to it.
Re:Morpheus attacks from EC2 also (Score:5, Insightful)
Bezos is a smart businessman, and as such most of his properties are separate corporations that are friends of Amazon, but maintain the ability to go bankrupt if they go wrong without bankrupting Amazon.com. Such a warrant might get the attention of EC2... but there's no way it'd stretch all the way to Amazon.com unless there was some proof of a shared resource being involved.
Re:De-Peer (Score:3, Insightful)
Everybody running an IP-PBX could also just block the entire EC2 IP ranges too. It would be freakin hilarious if Spamhaus, Spamcop, or DenyHosts added their IP ranges. That would get some activity over at Amazon pretty gosh darn quick.
However, in all seriousness, there is a better and easier solution for SIP security.
1) Just block absolutely everybody and have a whitelist on what SIP packets can make it in. Add your VOIP providers and just open up RTP. If you have phones connecting over the Internet, and not VPN, then make the whitelist dynamic. Most phones these days can be set to do HTTPS retrieval of configuration files, and the really kick ass ones do HTTPS GET on certain actions including startup and SIP registration. Whenever you get an authenticated request add that public IP to the whitelist and keep it for 24 hours.
2) Use SRTP & HTTPS to secure your traffic, exchange configuration files, and push/respond XML documents over the Internet.
3) For SIP peers/friends/users don't use the extension or MAC address for authentication. Completely unneccessary and weak on security. I have watched countless brute force attacks walk the extensions up from 1000. They can't begin to brute force the password, if they can't even find the right user name. Mine are 10 digit alphanumeric followed by the extension. Realllllly easy to handle with a dialplan too. A simple macro allows users to dial from extension to extension with the numbers they are used to, but hell on SIP hackers. Makes multi-company stuff a snap too.
4) What's with the 4-6 character passwords, or WORSE, the user name BEING the password? I guess that might be fine in a local network environment where there is a strong physical security presence, but there really is no reason for SIP passwords to NOT be 20 characters or randomly generated alphanumeric. Just lazy.
1-4 result in a system considerably harder to hack. It sure as heck won't be some scripted bot that takes it over, but a very determined and resourceful hacker.
I realize this does not account for anonymous SIP calling over the Internet using ENUM, but uhh... that is retarded anyways. Well not retarded exactly, just extremely optimistic about the benevolent nature of all mankind. Like an extremely smart 4 year girl who also dreams of having a Unicorn thought about how wonderful it would be for a universal white pages where communication, location, and routing instructions were provided for everyone.
I'm sure that exists in Star Trek where somebody's ENUM instructed them to route a subspace call to the Enterprise to Holodeck 5, but here on Earth it would be used to route some telemarketer from the Philippines to my cell phone to sell me gas cards or some wonderful product for $4 shipping and a $600 debit on my debit card to follow in 10 days....
If we really want something like that then it needs to be secured so only authorized people can decrypt your ENUM and a secure communication request would have to be sent and acknowledged, before any attempts at SIP could start, aka, layered security.
SIP had security and NAT as an afterthought unfortunately.
Re:Morpheus attacks from EC2 also (Score:3, Insightful)
Because everyone knows the state attorney general is always eager to royally piss off the huge, multinational corporation with an army of lawyers who is headquartered in his state and contributes a massive amount of tax revenue and jobs to the local economy. Especially when the accusation comes from some people off the internet who aren't even in his jurisdiction and he is completely unqualified to even understand the nature of the attacks beyond "bad people doing bad things according to this guy....on the internet". If its not child porn or drugs, or can make a big flashy headline, they aren't interested. And the actual data centers where the actual evidence might be are probably spread all over the world.