[asterisk-users] Amazon EC2 SIP floods - you can help
Hi, We all know most people are reporting that Amazon hasn't been helpful at all. A few people say they've received answers, but most are getting smoke screen PR BS. You can vote this up on Slashdot, send the message: SIP Attacks From Amazon EC2 Going Unaddressed: http://bit.ly/bOkNNx Send this message out to Amazon, I am positive that once it reaches the right person, they will do the right thing. The more places you send links to, the more likely it is that someone will wake up. We are a minority, unlike Toyota or airline customers. We need to yell louder. If you are on any social networks at all, Facebook, Twitter, Linkedin or vertical networks that are visible on Google, please consider posting at least a line about the lack of Amazon cooperation or a link to one of the many articles about this issue. If nothing is done, all cloud providers will do nothing and it'll become a bigger nightmare. If Amazon sets the standard for cooperation, the others will likely need to follow. Be sure to include Amazon EC2 once or more in any message you send, as this is what makes it rise to the top. The EC2 robot on Twitter is even stupidly repeating all the complaints :) There's a VUC discussion you can listen to on your commute to work: http://vuc.li/9n7Qxl /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 12:10:32PM +0200, Randy R wrote: Hi, We all know most people are reporting that Amazon hasn't been helpful at all. A few people say they've received answers, but most are getting smoke screen PR BS. You can vote this up on Slashdot, send the message: SIP Attacks From Amazon EC2 Going Unaddressed: http://bit.ly/bOkNNx It seems that at least Slashdot is responsive: http://it.slashdot.org/story/10/04/17/2059256/SIP-Attacks-From-Amazon-EC2-Going-Unaddressed -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
Tzafrir Cohen tzafrir.co...@xorcom.com wrote: On Sun, Apr 18, 2010 at 12:10:32PM +0200, Randy R wrote: Hi, We all know most people are reporting that Amazon hasn't been helpful at all. A few people say they've received answers, but most are getting smoke screen PR BS. You can vote this up on Slashdot, send the message: SIP Attacks From Amazon EC2 Going Unaddressed: http://bit.ly/bOkNNx It seems that at least Slashdot is responsive: http://it.slashdot.org/story/10/04/17/2059256/SIP-Attacks-From-Amazon-EC2-Going-Unaddressed -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 1:56 PM, Tzafrir Cohen tzafrir.co...@xorcom.com wrote: It seems that at least Slashdot is responsive: http://it.slashdot.org/story/10/04/17/2059256/SIP-Attacks-From-Amazon-EC2-Going-Unaddressed Yes, there's a lot of talk here, some of it sympathetic, some less so, but at least there's discussion. I expect a response from Amazon at some point, but not until the visibility level becomes painful. One other person in the Slashdot posts threatens to stop buying things from Amazon. More of those will likely surface. I a related question, if the IP addresses were spoofed, how could a response be directed back? Don't the register attempts, because they need a response necessarily carry the correct source IP? /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randy R wrote: On Sun, Apr 18, 2010 at 1:56 PM, Tzafrir Cohen tzafrir.co...@xorcom.com wrote: It seems that at least Slashdot is responsive: http://it.slashdot.org/story/10/04/17/2059256/SIP-Attacks-From-Amazon-EC2-Going-Unaddressed Yes, there's a lot of talk here, some of it sympathetic, some less so, but at least there's discussion. I expect a response from Amazon at some point, but not until the visibility level becomes painful. One other person in the Slashdot posts threatens to stop buying things from Amazon. More of those will likely surface. I a related question, if the IP addresses were spoofed, how could a response be directed back? Don't the register attempts, because they need a response necessarily carry the correct source IP? /r Yes, If the IP addresses were spoofed, it would be simply a DoS attack. Stu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCAAGBQJLyyd4AAoJEFKVLITDJSGSnZQQAJTR/VNudd6ZIsTYX3mxlGRC 0l85Z31Jh0ek0u+eNceuQc430yqFHWnK79Bvun/PK7Fz6RbiY5v+h3L5gkNMLpFy i21qTLJGua0MtbPPh3VktzHRle4r4Ph/darbMmwpUCtnBq38cjzTJvpDXIgtNwW/ yHhXIgEsQBhqs5xsPB9yZoPK7hBR3i9gmMi4aNbXg+mHIq7oYEe+ko1U0J/vjHXg 8zH78hzl6RZJfXFAoVb29htt+zII4A+SAH9fZAr72L3IOY4FCRYonT0ttktmTsMk V+wLXJyU2CnUb9w7v5DDG+EgdVrQFxdqN3pGuxfIXBvzu4bC6NAIRpfqqBV4yAAu TmR1+bCOCSbf5giBXJP77HobghzoOsRxhZVa7TMp5OKWuKa+v4zbpwY7YJRMDYOb vd42mSEWlOMr+he0SUnSNNusvqB0jmWIt/8lWEZl4/prpnyym0TWun7Z4Z0GjJLx +OHJLFEwo0T0f2Vf+og1wDBW9e/Tf2c1l2w6SrVHTL+0Hz3+2sh8pt389PPcQmuD PLqmG5mJC1ZuNhYhTknn1mT/NCtpgV4RrLJRcHM/46noEKAdy3DGs79Uwzw0jj3v XUaGRgEpGYz85YF0WaxMnOkSTMW1pgg8sTirHCGZttTcTHybJV2tDfEEEedx11Z5 jPjnd1SbFqhNG9KEsAGr =b2RY -END PGP SIGNATURE- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 5:38 PM, Stuart Sheldon s...@actusa.net wrote: I a related question, if the IP addresses were spoofed, how could a response be directed back? Don't the register attempts, because they If the IP addresses were spoofed, it would be simply a DoS attack. This is what I thought, so when people say yeah, but they could be spoofed this isn't a valid argument. A huge number of requests going to your server with an originating EC2 IP needs to be shut down first, questions asked after. Only Amazon can fix this. They have not only the IP info but also full customer data, including banking info. What possible excuse can they provide? Is this why they are silent? There's no good excuse other than, it would cut into our profits. Maybe we could get GigaOm interested or some other high-visibility blog. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randy R wrote: On Sun, Apr 18, 2010 at 5:38 PM, Stuart Sheldon s...@actusa.net wrote: I a related question, if the IP addresses were spoofed, how could a response be directed back? Don't the register attempts, because they If the IP addresses were spoofed, it would be simply a DoS attack. This is what I thought, so when people say yeah, but they could be spoofed this isn't a valid argument. A huge number of requests going to your server with an originating EC2 IP needs to be shut down first, questions asked after. Only Amazon can fix this. They have not only the IP info but also full customer data, including banking info. What possible excuse can they provide? Is this why they are silent? There's no good excuse other than, it would cut into our profits. Maybe we could get GigaOm interested or some other high-visibility blog. /r For what it's worth, here is my Blog Article from the incident... http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/ Stu -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCAAGBQJLyy0SAAoJEFKVLITDJSGSMaYQAKVTy6en4zsbekcjXTSjMo6z SSwBL95mSpgGRU6nAOKIjs5UUczFS8MtReag7hqW7e1ZtwwlXz88KP+c7yNZVw9+ 6HIjAf+PdaxRmDQ/bUpcXy+4Nnl6RRzVnE5oY33/ZWJrAjBfLb/eQCFQOqAdgxDr xsTGCPts/CJWeQrni6g4pdYFf3P4BvxsyoGw5vpF8rXipujaK1V0zxT6dE+XDNYZ aqrLlZtGvF7oTLtYCAt6g/C7VG7RJDNbuxGKG0q8GfHeU3xXEjYytH6jq26yiCSi FvP6vH0CzOInyYohPEXuxej2rLADf6c3JqXidadXX87l5XLb947pooMK+gmyRv8m AjsoOryMs43V48q5y1F25LVV8pnw83xEUZyxfa4/JNx4Fr4PvuMdVs0UDZbjWdCD ncf47IVQKztWfM3vcbyFXyfgDHrAnGUwZ/VxPpQ9/0VGsrC8V9rujQCI3UVk2/7v RHFK97ddmPvrAr8Gml+wnjTROSyY5n8ds762ZfyN3rel7e7w5gynpa+G9pcNqgSX MzdKRiC10hF4X6ZMXOski1UIXm+x7r+8uY8p+/8l6A4sdXohCUhXTcYLMnDBzgob fsmxb6WKKkaGTLv7jWLukfZVYcppk+B4M8hFgAvVqMWBRI3eZmZTKvmzDs9yjaqw kcF4NwJOpLXsG3w9vs7F =kLEJ -END PGP SIGNATURE- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Apr 18, 2010, at 1:14 PM, Randy R wrote: On Sun, Apr 18, 2010 at 6:02 PM, Stuart Sheldon s...@actusa.net wrote: For what it's worth, here is my Blog Article from the incident... http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/ Saw it early on Stu, and quoted your excellent summary: “I’m sorry, you have reached a company that doesn’t care that we are attacking you…” /r There's also a link to it from the VoIP Tech Chat article. ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 6:02 PM, Stuart Sheldon s...@actusa.net wrote: For what it's worth, here is my Blog Article from the incident... http://www.stuartsheldon.org/blog/2010/04/sip-brute-force-attack-originating-from-amazon-ec2-hosts/ Saw it early on Stu, and quoted your excellent summary: “I’m sorry, you have reached a company that doesn’t care that we are attacking you…” /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 7:17 PM, Fred Posner f...@teamforrest.com wrote: There's also a link to it from the VoIP Tech Chat article. And we are also linking to Fred's original story which says it all about Amazon: http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/ It has been suggested that posters on Twitter use hashtags. I'm not big on them myself, but #EC2, #SIP and #amazon might be appropriate. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 12:25 PM, Randy R randulo2...@gmail.com wrote: On Sun, Apr 18, 2010 at 7:17 PM, Fred Posner f...@teamforrest.com wrote: There's also a link to it from the VoIP Tech Chat article. And we are also linking to Fred's original story which says it all about Amazon: http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/ It has been suggested that posters on Twitter use hashtags. I'm not big on them myself, but #EC2, #SIP and #amazon might be appropriate. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Just a thought or my worst nightmare. i wonder if it isn't a hyperkit / hyperrootkit. A malicious variant of BluePill on a Virtual Machine that can spread through all other VM's on a machine because it becomes the hypervisor. Since a SAN is often used to move images from one machine to another, an infected vm fired up on a different machine could spread quickly. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Amazon EC2 SIP floods - you can help
On Sun, Apr 18, 2010 at 8:16 PM, Rob Townley rob.town...@gmail.com wrote: Just a thought or my worst nightmare. i wonder if it isn't a hyperkit / hyperrootkit. A malicious variant of BluePill on a Virtual Machine that can spread through all other VM's on a machine because it becomes the hypervisor. Since a SAN is often used to move images from one machine to another, an infected vm fired up on a different machine could spread quickly. All the more reason for Amazon to get off their ass and look into this. r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
