- Original Message -
Randy-
On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy m...@parsetree.com
wrote:
Assuming that every such spamming/hacking/attack site is funded on
a stolen identity/CC number, it will soon sink into Amazon that
they are
getting a bad rep, and losing money
On Sat, May 1, 2010 at 4:49 PM, --[ UxBoD ]-- ux...@splatnix.net wrote:
Slammed again last night by a A-WS server; see if anything comes back from
their abuse department!
FWIW, I chose another provider for our most recent customer who needed
cloud hosting, only because of the EC2 flood
Amazon is pretty clever! Ever seen V on TV?
Amazon talks a pretty good game out of one side of their PR
mouthpiece, but as a few of you note above, they abuse words like
quickly and temper everything with when Amazon determines.
This is a PR damage control statement. It means they are hearing
On Tue, 20 Apr 2010, Frank Bulk wrote:
Please take note of their posting:
https://aws.amazon.com/security/
which discusses the issue and what they're doing to improve response.
And is anyone on the list worthy of being considered a significant SIP
provider to be honoured with the
On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
On Tue, 20 Apr 2010, Frank Bulk wrote:
Please take note of their posting:
https://aws.amazon.com/security/
which discusses the issue and what they're doing to improve response.
And is anyone on the list worthy of being considered
On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner f...@teamforrest.com wrote:
On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
On Tue, 20 Apr 2010, Frank Bulk wrote:
Please take note of their posting:
https://aws.amazon.com/security/
which discusses the issue and what they're doing to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Randy R wrote:
On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner f...@teamforrest.com
wrote:
On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
On Tue, 20 Apr 2010, Frank Bulk wrote:
Please take note of their posting:
On Wed, Apr 21, 2010 at 9:23 AM, Stuart Sheldon s...@actusa.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Randy R wrote:
On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner f...@teamforrest.com
wrote:
On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
On Tue, 20 Apr 2010,
On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy m...@parsetree.com wrote:
Assuming that every such spamming/hacking/attack site is funded on a
stolen identity/CC number, it will soon sink into Amazon that they are
getting a bad rep, and losing money on such problems, as all such charges
are
Randy-
On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy m...@parsetree.com wrote:
Assuming that every such spamming/hacking/attack site is funded on a
stolen identity/CC number, it will soon sink into Amazon that they are
getting a bad rep, and losing money on such problems, as all such charges
Posner
Sent: Tuesday, April 13, 2010 3:41 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 13, 2010, at 4:22 PM, Randy R wrote:
On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy m...@parsetree.com wrote:
Hmmm
On Apr 20, 2010, at 6:18 PM, Frank Bulk wrote:
Please take note of their posting:
https://aws.amazon.com/security/
which discusses the issue and what they're doing to improve response.
Frank
If only they wrote the truth...
When we find misuse, we take action quickly and shut it
Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Fred Posner
Sent: Tuesday, April 20, 2010 6:47 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2
On Apr 20, 2010, at 5:18 PM, Frank Bulk wrote:
Please take note of their posting:
https://aws.amazon.com/security/
which discusses the issue and what they're doing to improve response.
This is an incredibly lame post on their part. They go out of their way to
point out there was
I worked with Project Honeypot guys for a while, they are more than
willing to assist, as they already have the backend work done for a
clearing house identifying hackers. The biggest issue we had a year
ago was to create the mechanism in asterisk to push valid log messages
out to the
On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
That only addresses EC2 (and assumes that Amazon has any interest in
protecting their reputation). What about attacks that come from other
locations? Granted it's pretty easy to buy time on an EC2 server so
Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
something that looks nice using iptables, some others have pointed out using
RBL or fail2ban, but the best would be to have some generic solution not
dependant on third party programs.
I'm not aware of the asterisk.dev
On Tue, Apr 13, 2010 at 08:27:11AM +0200, Randy R wrote:
On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
That only addresses EC2 (and assumes that Amazon has any interest in
protecting their reputation). What about attacks that come from other
locations?
On Mon, Apr 12, 2010 at 04:58:42PM -0500, JR Richardson wrote:
Perhaps if there was a Asterisk RBL we could all contribute to; for
which we could then hook into and drop any connection where a
source IP is listed ? -- Thanks, Phil
I love the idea of a RBL... count me in for
- Original Message -
Think we need some solution WITHIN the Asterisk core. Roderick A.
suggested something that looks nice using iptables, some others have
pointed out using RBL or fail2ban, but the best would be to have some
generic solution not dependant on third party programs.
On Tue, 13 Apr 2010, Alyed wrote:
Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
something that looks nice using iptables, some others have pointed out using
RBL or fail2ban, but the best would be to have some generic solution not
dependant on third party
- Original Message -
On Tue, 13 Apr 2010, Alyed wrote:
Think we need some solution WITHIN the Asterisk core. Roderick A.
suggested something that looks nice using iptables, some others have
pointed out using
RBL or fail2ban, but the best would be to have some generic solution
Am 13.04.2010 10:47, schrieb Gordon Henderson:
I'd strongly disagree with this. (And I was the OP of this thread and had
my home/office network connection taken down due to it)
But then, I'm an old worldy Unix sysadmin and the philosophy of having a
program do one thing well is still etched
On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote:
On Tue, 13 Apr 2010, Alyed wrote:
Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
something that looks nice using iptables, some others have pointed out using
RBL or fail2ban, but the best would be to
Hi!
Any aditional security within * is fine, but if someone is simply
drowning your bandwith, action must be taken at a lower level.
Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip,
mail, ssh, ldap, http, rsync, (or any other service you might be running)
However, I
On Apr 13, 2010, at 8:04 AM, Hans Witvliet wrote:
On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote:
On Tue, 13 Apr 2010, Alyed wrote:
Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
something that looks nice using iptables, some others have pointed out
Speaking of all these attacks, are there any good web managed security
monitor tools for CentOS out there that can be installed on the system so
that it can give us a visual of let's multiple failed attempts against SSH
or HTTPd?
Something nice that is simple and doesn't eat a lot resources and
On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote:
Hi!
Any aditional security within * is fine, but if someone is simply
drowning your bandwith, action must be taken at a lower level.
Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip,
mail, ssh, ldap,
- Original Message -
Speaking of all these attacks, are there any good web managed security
monitor tools for CentOS out there that can be installed on the system
so that it can give us a visual of let's multiple failed attempts
against SSH or HTTPd?
Something nice that is simple
Cool. I am just looking over splunk. Isn't that enough by it's own? or is
OSSEC needed to give it raw data? I think these two will take quite some
time to understand. Anything simpler out there as well?
Thanks,
Bruce
On Tue, Apr 13, 2010 at 10:42 AM, --[ UxBoD ]-- ux...@splatnix.net wrote:
- Original Message -
Cool. I am just looking over splunk. Isn't that enough by it's own? or
is OSSEC needed to give it raw data? I think these two will take quite
some time to understand. Anything simpler out there as well?
Thanks,
Bruce
On Tue, Apr 13, 2010 at 10:42 AM, --[
On Tue, Apr 13, 2010 at 04:32:58PM +0200, Hans Witvliet wrote:
On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote:
Hi!
Any aditional security within * is fine, but if someone is simply
drowning your bandwith, action must be taken at a lower level.
Otherwise you endup
Hmmm. It would seem that it would be to Amazon's advantage to jump on this
problem,
because the accounts that are performing this activity are most likely
purchased with
stolen identities, and sooner or later the charges are going to get
reversed. Either the
credit card companies are going to
On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy m...@parsetree.com wrote:
Hmmm. It would seem that it would be to Amazon's advantage to jump on this
problem,
I am pushing for this, please everyone who is suffering from this
problem, submit it or write to complain to Amazon and post the message
On Apr 13, 2010, at 4:22 PM, Randy R wrote:
On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy m...@parsetree.com wrote:
Hmmm. It would seem that it would be to Amazon's advantage to jump on this
problem,
I am pushing for this, please everyone who is suffering from this
problem, submit it or
On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
Perhaps if there was a Asterisk RBL we could all contribute to; for which we
could then hook into and drop any connection where a source IP is listed ?
--
Thanks, Phil
I love the idea of a RBL... count me in for contributing.
- Original Message -
Am 11.04.2010 17:05, schrieb Mark Smith:
Same this end from 184.73.17.150.
Use this little piece of iptables magic to block the whole of
Amazon's EC2 ip-
range.
iptables -F
iptables -A INPUT -m iprange --src-range
216.182.224.0-216.182.239.255 -j DROP
I got the same generic response, asking me to submit the same info which I
had already submitted. This clearly show they are not interested in tracing
just another hacker on their cloud.
Zeeshan A Zakaria
--
Sent from my Android phone with K-9 Mail.
On 2010-04-12 9:24 AM, Fred Posner
If RBL or something is practical, I'm in too. But at what level these
hackers will be blocked? Unless some big ISPs cooprate, it is not much of
use.
Zeeshan A Zakaria
--
Sent from my Android phone with K-9 Mail.
On 2010-04-12 9:24 AM, Fred Posner f...@teamforrest.com wrote:
On Apr 12, 2010,
On Apr 12, 2010, at 8:17 AM, Fred Posner wrote:
On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
Perhaps if there was a Asterisk RBL we could all contribute to; for which we
could then hook into and drop any connection where a source IP is listed ?
--
Thanks, Phil
I love the
On Mon, Apr 12, 2010 at 3:52 PM, Zeeshan Zakaria zisha...@gmail.com wrote:
If RBL or something is practical, I'm in too. But at what level these
hackers will be blocked? Unless some big ISPs cooprate, it is not much of
use.
I've been following this with much interest. I don't see RBL (which I
Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 12, 2010, at 8:17 AM, Fred Posner wrote:
On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
Perhaps if there was a Asterisk RBL we could all contribute to; for which
we could
Good article - might solve our problems for now:
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood
He got the bots to stop by writing a ruby script that responds back to them
with a SIP 200 OK.
I'm going give it a go when I'm back home...
Cheers,
Tom
--
On 12 Apr 2010, at 17:30, Tom Stordy-Allison wrote:
Good article - might solve our problems for now:
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood
He got the bots to stop by writing a ruby script that responds back to them
with a SIP 200 OK.
I'm going give it a
On 04/12/2010 08:17 AM, Fred Posner wrote:
On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
Perhaps if there was a Asterisk RBL we could all contribute to; for
which we could then hook into and drop any connection where a
source IP is listed ? -- Thanks, Phil
I love the idea of a
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
I don't think anyone else brought up the Spamhaus DROP project. It's a
blacklist of IP addresses and address ranges which are known to ONLY be
used for malicious purposes.
http://www.spamhaus.org/drop/
On Apr 12, 2010, at 1:05 PM, Randy R wrote:
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
I don't think anyone else brought up the Spamhaus DROP project. It's a
blacklist of IP addresses and address ranges which are known to ONLY be
used for malicious
On 04/12/2010 12:05 PM, Randy R wrote:
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
I don't think anyone else brought up the Spamhaus DROP project. It's a
blacklist of IP addresses and address ranges which are known to ONLY be
used for malicious
- Original Message -
On 04/12/2010 12:05 PM, Randy R wrote:
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
I don't think anyone else brought up the Spamhaus DROP project.
It's a
blacklist of IP addresses and address ranges which are known to
Darrick Hartman wrote:
On 04/12/2010 12:05 PM, Randy R wrote:
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
dhart...@djhsolutions.com wrote:
snip /
Randy,
That only addresses EC2 (and assumes that Amazon has any interest in
protecting their reputation). What about attacks that come
Perhaps if there was a Asterisk RBL we could all contribute to; for
which we could then hook into and drop any connection where a
source IP is listed ? -- Thanks, Phil
I love the idea of a RBL... count me in for contributing.
Especially considering the ridiculous response I received from
On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
gordon+aster...@drogon.net wrote:
Just a heads-up ... my home asterisk server is being flooded by someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
they're trying to send SIP subscribes to one account -
On Sun, 11 Apr 2010, David Quinton wrote:
On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
gordon+aster...@drogon.net wrote:
Just a heads-up ... my home asterisk server is being flooded by someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
they're
On Sun, 11 Apr 2010 08:09:02 +0100 (BST), Gordon Henderson
gordon+aster...@drogon.net wrote:
Look what they did to my latency, Gordon:-
http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png
Oddly enough my latency wasn't being affected at all - however what I was
seeing
- Original Message -
On Sun, 11 Apr 2010, David Quinton wrote:
On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
gordon+aster...@drogon.net wrote:
Just a heads-up ... my home asterisk server is being flooded by
someone from IP 184.73.17.150 which is an Amazon EC2
Gordon Henderson a écrit :
Just a heads-up ... my home asterisk server is being flooded by someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
they're trying to send SIP subscribes to one account - and they're
flooding the requests in - it's averaging some
On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote:
In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that
would monitor for failed SIP registrations. If a few occurred within a
short space of time the Active Response kicks in and blocks the IP
address using IPTables. -- Thanks, Phil
My experience is that as long as the hackers are getting any kind of
response from your server, they'll keep their attack on, in a hope that
they'll get into your system sooner or later. After all it is just some
computers doing the work for them, no human is phycally getting tired here.
This is
On Sun, 11 Apr 2010, Zeeshan Zakaria wrote:
My experience is that as long as the hackers are getting any kind of
response from your server, they'll keep their attack on, in a hope that
they'll get into your system sooner or later. After all it is just some
computers doing the work for them,
Hello to everyone!
Same here (Vienna, Austria).
I had this attack yesterday 6am (local time) from IP 216.105.128.63
whois 216.105.128.63 returns:
OrgName:Globalvision
OrgID: ACSIN-3
Address:78 Global Drive
Address:Suite 101
City: Greenville
StateProv: SC
PostalCode:
Hi!
My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress
range. I wonder if everything would become a little bit more secure if
define them with host=192.168.X.X in sip.conf instead of
host=dynamic. I tried it as a quick shot but it didn't work as they
still try to register.
I don't k know if there is a tool to sniff passwords, but did you check in
/va/log/asterisk/full? Maybe wireshark can be used for this purpose, but
it'll be not that straight forward.
Interestingly I checked log of my server and found out that I was also under
attack yesterday by an Amazon cloud
On Apr 11, 2010, at 10:06 AM, Zeeshan Zakaria wrote:
I don't k know if there is a tool to sniff passwords, but did you check in
/va/log/asterisk/full? Maybe wireshark can be used for this purpose, but
it'll be not that straight forward.
Interestingly I checked log of my server and found
--[ UxBoD ]-- uxbod at splatnix.net writes:
- Original Message -
On Sun, 11 Apr 2010, David Quinton wrote:
On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
gordon+asterisk at drogon.net wrote:
Just a heads-up ... my home asterisk server is being flooded by
Its a good idea tos setup Fail2ban, instructions for which are on
voip-info.org. It at least blocks such IP addresses, hopefully prompting the
attackers to move their attack somewhere else and leave you alone.
I personally use Fail2ban, it works but wont keep you from flooding your line.
My
I always report at least. This is still better than not bringing it to their
attention. I once worked in the NOC of a big data centre of a major ISP, and
we often get calls regarding IPs from our data centers involved in spams and
hacks, but unless there were a number of complaints, nobody had
Am 11.04.2010 17:05, schrieb Mark Smith:
Same this end from 184.73.17.150.
Use this little piece of iptables magic to block the whole of Amazon's EC2 ip-
range.
iptables -F
iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP
iptables -A INPUT -m iprange
-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Norbert Zawodsky
Sent: 11 April 2010 20:57
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Am 11.04.2010 17:05, schrieb Mark Smith:
Same this end from
Norbert Zawodsky norbert at zawodsky.at writes:
Am 11.04.2010 17:05, schrieb Mark Smith:
Same this end from 184.73.17.150.
Use this little piece of iptables magic to block the whole of Amazon's EC2
ip-
range.
iptables -F
iptables -A INPUT -m iprange --src-range
FWIW, we're seeing similar attacks. The below is what I posted on NANOG
earlier, which summarizes Amazon's stellar abuse response. I've also received
an off-list e-mail from someone who was getting hit with 6Gbps of traffic from
them (and was not able to reach anyone there either).
Time to
the
requests as below.
Cheers,
Tom
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Norbert Zawodsky
Sent: 11 April 2010 20:57
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Being
...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Stuart Sheldon
Sent: 11 April 2010 21:17
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
We reported
On Apr 11, 2010, at 4:06 PM, Tom Stordy-Allison wrote:
Hi,
This is exactly what I've just joined this mailing list about.
Has anyone has any luck getting Amazon to stop the instances? I'm stuck with
around 700Kbps of my 2.5Mbps inbound in use as my firewall blocks the
requests as
On Sun, 11 Apr 2010, Mark Smith wrote:
Same this end from 184.73.17.150.
Use this little piece of iptables magic to block the whole of Amazon's EC2 ip-
range.
iptables -F
iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP
iptables -A INPUT -m iprange
Just a heads-up ... my home asterisk server is being flooded by someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
they're trying to send SIP subscribes to one account - and they're
flooding the requests in - it's averaging some 600Kbits/sec of incoming
UDP
Its a good idea tos setup Fail2ban, instructions for which are on
voip-info.org. It at least blocks such IP addresses, hopefully prompting the
attackers to move their attack somewhere else and leave you alone.
Another good idea is to lookup in whois database this IP address and see if
you can
76 matches
Mail list logo
