Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - Randy- On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy m...@parsetree.com wrote: Assuming that every such spamming/hacking/attack site is funded on a stolen identity/CC number, it will soon sink into Amazon that they are getting a bad rep, and losing money on such problems, as all such charges are reversed when the identity theft is discovered... How they overcome the problem, should be a tribute to the marvelous power of human ingenuity. Interesting point about the stolen CC numbers. If that is true, then they will be forced to investigate for their own internal damage control. You are nothing if not persistent, an excellent quality in a case like this. By now I'm sure Amazon execs are wondering who is this Randulo guy, hehe. Slammed again last night by a A-WS server; see if anything comes back from their abuse department! -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sat, May 1, 2010 at 4:49 PM, --[ UxBoD ]-- ux...@splatnix.net wrote: Slammed again last night by a A-WS server; see if anything comes back from their abuse department! FWIW, I chose another provider for our most recent customer who needed cloud hosting, only because of the EC2 flood Attacks and Amazon's weak defense and lack of cooperation. All they have done so far is PR spin. We need them to actually do something. In the meantime, they've lost my business and I hope others are voting with their feet. I also had an interesting discussion with one of the people behind http://projecthoneypot.org who said they'd be interested in working with us on devising a lookup scheme like the one they've been using for comment spammers, etc. I can tell you from first hand experience that their DNSBL has saved me hours and avoids 95% of the comment spam we were getting before I wrote a simple function to access PHP's database. As soon as I return from China, I will get back in touch with them and we should set up a meeting with everyone who is concerned by this EC2 abuse thing. I think we can do some good work together; An interesting sidenote to Projet HoneyPot is that the site is down because of a disk failure. But the interesting note is that it is a SSD! So much for no moving parts being more reliable! /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Amazon is pretty clever! Ever seen V on TV? Amazon talks a pretty good game out of one side of their PR mouthpiece, but as a few of you note above, they abuse words like quickly and temper everything with when Amazon determines. This is a PR damage control statement. It means they are hearing the shots fired by irate server operators/owners and I say you should keep that pressure on until you actually see them acting QUICKLY and not dicking you around, asking you to resubmit reports, etc. I know some of you whose servers have been attacked. I know that you are extremely capable network admins, programmers, VoIP engineers, etc, which means your reports are technically at the same level or higher than the people at Amazon that receive them. Conclusion: Amazon is still dancing, start shooting higher then their feet. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, 20 Apr 2010, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. And is anyone on the list worthy of being considered a significant SIP provider to be honoured with the privilege of working with them? Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote: On Tue, 20 Apr 2010, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. And is anyone on the list worthy of being considered a significant SIP provider to be honoured with the privilege of working with them? Gordon None of the carriers I deal with have been contacted. Of course, them only contacting significant providers... does that mean it's ok if the attacks happen to non-significant providers or end-points? ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner f...@teamforrest.com wrote: On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote: On Tue, 20 Apr 2010, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. And is anyone on the list worthy of being considered a significant SIP provider to be honoured with the privilege of working with them? Gordon None of the carriers I deal with have been contacted. Of course, them only contacting significant providers... does that mean it's ok if the attacks happen to non-significant providers or end-points? ---fred http://qxork.com If it got to their BS/PR page/blog it means they're hearing about complaints on the net as well as people like you submitting. Everyone please keep posting where you can and sooner or later, someone big will pick up the story. Funny, I'd think the most worthy people to comment on this issue are on this list. That's the feedback they should be looking for and working on at Amazon EC2. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randy R wrote: On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner f...@teamforrest.com wrote: On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote: On Tue, 20 Apr 2010, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. And is anyone on the list worthy of being considered a significant SIP provider to be honoured with the privilege of working with them? Gordon None of the carriers I deal with have been contacted. Of course, them only contacting significant providers... does that mean it's ok if the attacks happen to non-significant providers or end-points? ---fred http://qxork.com If it got to their BS/PR page/blog it means they're hearing about complaints on the net as well as people like you submitting. Everyone please keep posting where you can and sooner or later, someone big will pick up the story. Funny, I'd think the most worthy people to comment on this issue are on this list. That's the feedback they should be looking for and working on at Amazon EC2. /r We might me reading their PR wrong... Maybe there were large SIP providers that were compromised due to this attack... Maybe they are keeping that quiet at the request of those providers... It could also be that the aliens in hiding in Colorado are behind the whole thing! ... Oh no! I've said too much!!! LOL... It could actually be the case that this whole issue went beyond what we are seeing, and they are trying to protect one of their Whale customers... Needless to say, what about the SSH brute force attacks that originate from their network? What about the SPAM that flows like a fountain from their net blocks? This was nothing more then PR hype... Stu - -- For six long years I've been in trouble, no pleasure here on earth I found. For in this world I'm bound to ramble, I have no friends to help me now. -- The Soggy Bottom Boys - I am a man of constant sorrow -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJLzxhvAAoJEFKVLITDJSGS7boP/A00AIG02wKVejBPM+EZnqwE zc12a0RwjbS9j3LjxSbutfDUBb5LphJpknVHy1HF7pPj5Dm3LNooVhSUq8UU+vO+ iSGIGMDVij943dGKo2bInhhZmc9rCAyBmmrRn/AP/YvQ3ZxrcJPyirOQOeEpTMee m1ctlVsP2/O5M8Igv8Hm+eE4ZlDDsTSSDr3M0W80y1wMzUD/XLtEsOWexT3wVRUY WuErhbc7xZcySgEy7GsH3+O3BFhuV2JYwr0bkF+qVcdDbDL13aiBEqoJqWDOqhJI dcgY1JYra8wUU5aum/1awH+psxpx0WTsIUr34yDDUoRRCubmVjeDL4ZBVeT4O8E8 b2UvRalGhtFl8zm8FoaBCWmG5fNoorNasoyTnkyANsAnvdW72T9Wn5yWKAwVaYZe VlX7S9bcpBV880jgm6hV7rrDFizyy4Lo96f1eoSlwNy8e4LI/bp/dn5f54RBDj5k fpckpYFZFz0kAOwnAAlwKOmHgUr/jMqMMFL6ZyF/7fl7phwVKHm1DwspF0soLJkF GEAztCBRG02++eePNCpJWk/WdNzGSA6btveOSWbYy+BkZ8UTmr9IKXp2lOsBeXJa xrCv5vgB0s9TAd/QPoBRY8XLEp4BYEL9+cDzpclbMpi5ybVwviAGjjm9gNnx0Fd7 /8HHyve0W1uNIVIsHzDz =N7lH -END PGP SIGNATURE- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Wed, Apr 21, 2010 at 9:23 AM, Stuart Sheldon s...@actusa.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Randy R wrote: On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner f...@teamforrest.com wrote: On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote: On Tue, 20 Apr 2010, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. And is anyone on the list worthy of being considered a significant SIP provider to be honoured with the privilege of working with them? Gordon None of the carriers I deal with have been contacted. Of course, them only contacting significant providers... does that mean it's ok if the attacks happen to non-significant providers or end-points? ---fred http://qxork.com If it got to their BS/PR page/blog it means they're hearing about complaints on the net as well as people like you submitting. Everyone please keep posting where you can and sooner or later, someone big will pick up the story. Funny, I'd think the most worthy people to comment on this issue are on this list. That's the feedback they should be looking for and working on at Amazon EC2. /r We might me reading their PR wrong... Maybe there were large SIP providers that were compromised due to this attack... Maybe they are keeping that quiet at the request of those providers... It could also be that the aliens in hiding in Colorado are behind the whole thing! ... Oh no! I've said too much!!! LOL... It could actually be the case that this whole issue went beyond what we are seeing, and they are trying to protect one of their Whale customers... Needless to say, what about the SSH brute force attacks that originate from their network? What about the SPAM that flows like a fountain from their net blocks? This was nothing more then PR hype... Stu Assuming that every such spamming/hacking/attack site is funded on a stolen identity/CC number, it will soon sink into Amazon that they are getting a bad rep, and losing money on such problems, as all such charges are reversed when the identity theft is discovered... How they overcome the problem, should be a tribute to the marvelous power of human ingenuity. murf -- Steve Murphy ParseTree Corp -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy m...@parsetree.com wrote: Assuming that every such spamming/hacking/attack site is funded on a stolen identity/CC number, it will soon sink into Amazon that they are getting a bad rep, and losing money on such problems, as all such charges are reversed when the identity theft is discovered... How they overcome the problem, should be a tribute to the marvelous power of human ingenuity. Interesting point about the stolen CC numbers. If that is true, then they will be forced to investigate for their own internal damage control. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Randy- On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy m...@parsetree.com wrote: Assuming that every such spamming/hacking/attack site is funded on a stolen identity/CC number, it will soon sink into Amazon that they are getting a bad rep, and losing money on such problems, as all such charges are reversed when the identity theft is discovered... How they overcome the problem, should be a tribute to the marvelous power of human ingenuity. Interesting point about the stolen CC numbers. If that is true, then they will be forced to investigate for their own internal damage control. You are nothing if not persistent, an excellent quality in a case like this. By now I'm sure Amazon execs are wondering who is this Randulo guy, hehe. -Jeff -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. Frank -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Fred Posner Sent: Tuesday, April 13, 2010 3:41 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... On Apr 13, 2010, at 4:22 PM, Randy R wrote: On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy m...@parsetree.com wrote: Hmmm. It would seem that it would be to Amazon's advantage to jump on this problem, I am pushing for this, please everyone who is suffering from this problem, submit it or write to complain to Amazon and post the message publicly wherever you can in a civilized, even lucid message to them. If you do it they will take notice. They need to see this as a problem in their space and take reasonable steps to either make it harder to abuse their service and/or easier to report the abuse, which they must then act upon. The thread here is an interesting discussion, but it can't compare to actual action they might take if your complaints reach them. They will need to act, but only if you force them to take notice. I believe Amazon has a chance to distinguish themselves from ISP who allow spammers to do mass mailings without any real challenge. They will act if you continue putting the message out there. /r The only person I've gotten to respond to me is Kay Kinton from Amazon's Public Relations. Although she responded, she will not take a phone call or discuss the issue over the phone. She gave me two statements so far, which I will be posting on VoIPTechChat.com (one's there already). Statement 1: Hello Fred and thank you for contacting us. Over the weekend, we received a report of a suspicious account and began an investigation. Our normal process is to connect the two involved parties to give them an opportunity to talk in case the abuse is not malicious but is simply heavy traffic from a legitimate customer. If that is not successful, we then move to isolate the traffic from the abusing party. Normally this process works quite well for situations our customers have encountered, however this incident has highlighted the need for an escalation process to address potentially malicious attacks more quickly. Additionally, we are working on quickly putting better protections and processes in place to better guard against unwanted SIP traffic. We take the security of our customers and our quality of service very seriously, and will continue to work to improve our processes and services for customers. /end statement 1 This was of course was while attacks were continuing so I asked for a discussion and sent her several questions when she told me what else can I tell you. Today I received statement 2: Hello Fred. We believe that we've identified and shut down the illegal activity and are closing the loop with customers. We'd certainly be interested in hearing of the cases you refer to below so we can follow up. /end statement 2. So.. since she's interested... please let her know how they did not respond to your complaints, the attacks, and well, any of the concerns you have to which she should follow up: Kay Kinton kin...@amazon.com Public Relations Manager Amazon Web Services Phone: 206-266-8387 ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 20, 2010, at 6:18 PM, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. Frank If only they wrote the truth... When we find misuse, we take action quickly and shut it down. If quickly means letting it go on for weeks, then they definitely handled it quickly. ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
I agree, our quickly and Amazon's quickly are two different things. Maybe it was quickly for them. And note that they say when *we* find misuse. Even though a customer may have identified it, their AWS abuse (team?) may not run a 24x7 operation and further delay things. Frank -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Fred Posner Sent: Tuesday, April 20, 2010 6:47 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... On Apr 20, 2010, at 6:18 PM, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. Frank If only they wrote the truth... When we find misuse, we take action quickly and shut it down. If quickly means letting it go on for weeks, then they definitely handled it quickly. ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 20, 2010, at 5:18 PM, Frank Bulk wrote: Please take note of their posting: https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve response. This is an incredibly lame post on their part. They go out of their way to point out there was nothing unique about this attack that made it require that it come from EC2. However, that isn't true. Had this attack come from anywhere else it would have been shut down _days_ before it was on EC2. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2
I worked with Project Honeypot guys for a while, they are more than willing to assist, as they already have the backend work done for a clearing house identifying hackers. The biggest issue we had a year ago was to create the mechanism in asterisk to push valid log messages out to the database and then determine what to do with that data? Because I run a lot of forums and blogs, I use Project Honeypot, report to them and have lent them a few honeypot MX and pages. I tried to bridge the gap between a few Asterisk developers and the Honeypot developers, ultimately the project stalled and I got busy with other matters. If anyone here would like to pick up the torch and move this along, I can certainly provide info on how far along we got and contact info for the parties involved. Project Honeypot seems pretty overworked/overstretched already, but if you're able to communicate whith them that's excellent, they are doing a great job with their DB, it saves me a lot of time. Please contact me if you have time to work on this and are interested. I'm sure the Project Honeypot guys will be willing to pick this project back up and work on it. I can't contribute code, but I can help spread the word. I also still believe that Amazon needs to put resources to work on the problem. The cloud is too easy to hide in for what are obviously fraudulent operations. We will certainly be talking about this on the VoIP Users Conference in the next weeks. We should schedule it as a topic, possibly for the April 30th. Would you be available for that JR? (12 Noon EDT) /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman dhart...@djhsolutions.com wrote: That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. With the growth of the cloud offerings, this problem will likely grow, so yes, a generic solution is needed. What I want to see though, and no provder has done much if anything about it, is REPORTING and INVESTIGATION. It is easy to use a script to report and submit, we can all do that, even I could (if I had a box running and needed to). The hard part is them having their tech/sys people actually look at the network and see, Oh, ya, there's some shit happening that on that instance... If Amazon's form submit didn't even work, that's a really bad reflection on their brand in a lot of ways, including tech competence. If that is know to geeks like us, it won't hurt them which is why, like a broken record, I keep saying: put your Amazon experience out to the public. When it starts being mentioned in Wired, Storm Cloud or something, THEN Amazon will have to do something. I do not believe Amazon is taking reasonable measures now in doing their job, and that they should be working towards that goal, reasonable measures as opposed to NO measures. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'm not aware of the asterisk.dev list but maybe someone can tell if they can help us here? Alyed 2010/4/13 Randy R randulo2...@gmail.com On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman dhart...@djhsolutions.com wrote: That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. With the growth of the cloud offerings, this problem will likely grow, so yes, a generic solution is needed. What I want to see though, and no provder has done much if anything about it, is REPORTING and INVESTIGATION. It is easy to use a script to report and submit, we can all do that, even I could (if I had a box running and needed to). The hard part is them having their tech/sys people actually look at the network and see, Oh, ya, there's some shit happening that on that instance... If Amazon's form submit didn't even work, that's a really bad reflection on their brand in a lot of ways, including tech competence. If that is know to geeks like us, it won't hurt them which is why, like a broken record, I keep saying: put your Amazon experience out to the public. When it starts being mentioned in Wired, Storm Cloud or something, THEN Amazon will have to do something. I do not believe Amazon is taking reasonable measures now in doing their job, and that they should be working towards that goal, reasonable measures as opposed to NO measures. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, Apr 13, 2010 at 08:27:11AM +0200, Randy R wrote: On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman dhart...@djhsolutions.com wrote: That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. With the growth of the cloud offerings, this problem will likely grow, so yes, a generic solution is needed. What I want to see though, and no provder has done much if anything about it, is REPORTING and INVESTIGATION. It is easy to use a script to report and submit, we can all do that, even I could (if I had a box running and needed to). The hard part is them having their tech/sys people actually look at the network and see, Oh, ya, there's some shit happening that on that instance... But this potentially moved DoS attacks from one place to another. Especially given that the source of a UDP packet is easy to forge. (And yes, in this case the attack was not intended to be a simple DoS) -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2
On Mon, Apr 12, 2010 at 04:58:42PM -0500, JR Richardson wrote: Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil I love the idea of a RBL... count me in for contributing. Especially considering the ridiculous response I received from Amazon. (Basically told me to submit host, destination, port, proto, and log... which of course was already included in the original complaint) I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ This is for really bad spammers. In our case it would be used to block Amazon AWS in the (completely unlikely!) case that they would do nothing about those cases. We could establish something similar to that for VOIP attacks. It may not be exactly a trivial system to maintain such a list. (removing IP's after X amount of time, disputing false claims etc). Maybe someone could contact spamhaus to create a list for VOIP since they seem to have a nice system in place? Hi All, good discussion, similar to ones we had a year or so ago. The RBL concept is valid, at least to get a repository going that list malicious activity specific to SIP attacks. n I worked with Project Honeypot guys for a while, they are more than willing to assist, as they already have the backend work done for a clearing house identifying hackers. The biggest issue we had a year ago was to create the mechanism in asterisk to push valid log messages out to the database and then determine what to do with that data? I tried to bridge the gap between a few Asterisk developers and the Honeypot developers, ultimately the project stalled and I got busy with other matters. If anyone here would like to pick up the torch and move this along, I can certainly provide info on how far along we got and contact info for the parties involved. Please contact me if you have time to work on this and are interested. I'm sure the Project Honeypot guys will be willing to pick this project back up and work on it. I've been bitten too many times by over-jelous anti-spam black lists. It's easy to get in. More difficult to be removed. And heck, I can easily get set up a few servers in Amazon which will generate faked logs of attacks from your server, if I want to shut your phone system for a couple of days. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'm not aware of the asterisk.dev list but maybe someone can tell if they can help us here? Alyed 2010/4/13 Randy R randulo2...@gmail.com On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman dhart...@djhsolutions.com wrote: That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. With the growth of the cloud offerings, this problem will likely grow, so yes, a generic solution is needed. What I want to see though, and no provder has done much if anything about it, is REPORTING and INVESTIGATION. It is easy to use a script to report and submit, we can all do that, even I could (if I had a box running and needed to). The hard part is them having their tech/sys people actually look at the network and see, Oh, ya, there's some shit happening that on that instance... If Amazon's form submit didn't even work, that's a really bad reflection on their brand in a lot of ways, including tech competence. If that is know to geeks like us, it won't hurt them which is why, like a broken record, I keep saying: put your Amazon experience out to the public. When it starts being mentioned in Wired, Storm Cloud or something, THEN Amazon will have to do something. I do not believe Amazon is taking reasonable measures now in doing their job, and that they should be working towards that goal, reasonable measures as opposed to NO measures. /r DNS lookup capability appears to be required on a Asterisk installation and hence a DNSRBL would appear to be a good solution. A alternative, similar to the SaneSecurity AV sigs, would be to have a pool of rsync servers for downloading a list of known IPs. Again this would require community contribution in both time and resources. I would be happy to allocate some spare memory and CPU cycles and hopefully my employer would as-well. -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, 13 Apr 2010, Alyed wrote: Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'd strongly disagree with this. (And I was the OP of this thread and had my home/office network connection taken down due to it) But then, I'm an old worldy Unix sysadmin and the philosophy of having a program do one thing well is still etched into my core... http://en.wikipedia.org/wiki/Unix_philosophy So get asterisk to do what it does well, then get something else that does what you need to do just as well - built-in to Linux are the iptables firewall rules. Use them! They are very effective and do work. (And you have a choice!) The biggest issue I see is that people are installing Asterisk and other high-level applications on top of Linux (and other *nix'es) without the experience of sysadmin - then when something goes wrong they want the application to fix it rather than apply some basic and pretty fundamental sysadmin techniques to solve the issue. And that means that even having permit= and deny= in sip.conf and iax.conf, etc. is too much. With proper OS level firewalling they're simply not needed and do nothing more than add another potential point of failure and add yet more code to maintain. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - On Tue, 13 Apr 2010, Alyed wrote: Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'd strongly disagree with this. (And I was the OP of this thread and had my home/office network connection taken down due to it) But then, I'm an old worldy Unix sysadmin and the philosophy of having a program do one thing well is still etched into my core... http://en.wikipedia.org/wiki/Unix_philosophy So get asterisk to do what it does well, then get something else that does what you need to do just as well - built-in to Linux are the iptables firewall rules. Use them! They are very effective and do work. (And you have a choice!) The biggest issue I see is that people are installing Asterisk and other high-level applications on top of Linux (and other *nix'es) without the experience of sysadmin - then when something goes wrong they want the application to fix it rather than apply some basic and pretty fundamental sysadmin techniques to solve the issue. And that means that even having permit= and deny= in sip.conf and iax.conf, etc. is too much. With proper OS level firewalling they're simply not needed and do nothing more than add another potential point of failure and add yet more code to maintain. Gordon Gordon, Completely agree with what you are saying though I believe the proposal of some sort of shared IP list is a valid one. If you had not brought this to the attention of the list then this discussion would have not taken place. I am guilty in that when a EC2 server attempted to break into my PBX I did not share it with the list. We, large assumption, are all at some point subjected to probing attacks against our Asterisk deployments and I feel it would be great if there was some mechanism where we were able to share those hackers IPs for blocking by one means or another. -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Am 13.04.2010 10:47, schrieb Gordon Henderson: I'd strongly disagree with this. (And I was the OP of this thread and had my home/office network connection taken down due to it) But then, I'm an old worldy Unix sysadmin and the philosophy of having a program do one thing well is still etched into my core... http://en.wikipedia.org/wiki/Unix_philosophy So get asterisk to do what it does well, then get something else that does what you need to do just as well - built-in to Linux are the iptables firewall rules. Use them! They are very effective and do work. (And you have a choice!) The biggest issue I see is that people are installing Asterisk and other high-level applications on top of Linux (and other *nix'es) without the experience of sysadmin - then when something goes wrong they want the application to fix it rather than apply some basic and pretty fundamental sysadmin techniques to solve the issue. And that means that even having permit= and deny= in sip.conf and iax.conf, etc. is too much. With proper OS level firewalling they're simply not needed and do nothing more than add another potential point of failure and add yet more code to maintain. Gordon I definitely do to agree with Gordon! If you have to get your car over a river, try to find a bridge or ferry instead of trying to teach the car swimming O.k., maybe this was a bit polemic. But in some way, it reminds me of Linux. What I really love ist the very high flexibility. And I definitely can see Gordon's point, not adding functionality to programs which somehow doesn't belong there. My thought is: It's very easy to write a program/script which connects to any random IP:port adress and sends packets there. Regardless if the remote side is responding or not. This way you can easily eat up the remote side's bandwith and/or data volume limit. And there's nothing the remote side can do against it except pulling the plug. If someone is sending millions of registers triyng to find an entry into a phone server, the problem is related to asterisk. But as soon as a firewall can block that, (or even as long as asterisk's security is strong enough to not let them in), the issue is NOT related to asterisk any more. From that moment on it is reduced to a bandwith eat-up problem and belongs to the area of network administration. This moves into the direction of an academic discussion titled what can I do if someone else eats up my bandwith/data-volume-limit? My 2 cents.. BTW, the good news: had no attack here within the last 48 hours. I implemented the iptables rules to drop packets from various adress ranges. But log them first. I'd like to see if the bot is continuing if it doen't get any reponses or if it gives up. But no attack so far Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote: On Tue, 13 Apr 2010, Alyed wrote: Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'd strongly disagree with this. (And I was the OP of this thread and had my home/office network connection taken down due to it) But then, I'm an old worldy Unix sysadmin and the philosophy of having a program do one thing well is still etched into my core... http://en.wikipedia.org/wiki/Unix_philosophy So get asterisk to do what it does well, then get something else that does what you need to do just as well - built-in to Linux are the iptables firewall rules. Use them! They are very effective and do work. (And you have a choice!) I'll agree with you here. Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) So a proper job for ip(6)tables, imho -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Hi! Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) However, I *still* think Asterisk should provide a delayreject option in sip.conf to greatly slow down answering request avanlanches. That will help to address the bandwidth issue if the attacker is configured to wait for a response before starting the next request. Apart from that here are the most important messages: Use strong passwords in sip.conf, and use keys in iax.conf, and avoid usernames that can be guessed too easily (numbers from 100 to and first names). Philipp -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 13, 2010, at 8:04 AM, Hans Witvliet wrote: On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote: On Tue, 13 Apr 2010, Alyed wrote: Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'd strongly disagree with this. (And I was the OP of this thread and had my home/office network connection taken down due to it) But then, I'm an old worldy Unix sysadmin and the philosophy of having a program do one thing well is still etched into my core... http://en.wikipedia.org/wiki/Unix_philosophy So get asterisk to do what it does well, then get something else that does what you need to do just as well - built-in to Linux are the iptables firewall rules. Use them! They are very effective and do work. (And you have a choice!) I'll agree with you here. Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) So a proper job for ip(6)tables, imho -- +1 for outside of asterisk. I want something that blocks it before it gets to the Asterisk processes. I've posted a little script on Team Forrest for how I'm blocking the traffic (using a quick perl script, iptables, and cron). The script is at http://bit.ly/cDHlLq ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Speaking of all these attacks, are there any good web managed security monitor tools for CentOS out there that can be installed on the system so that it can give us a visual of let's multiple failed attempts against SSH or HTTPd? Something nice that is simple and doesn't eat a lot resources and spits out everything on the screen? Thanks, Bruce On Tue, Apr 13, 2010 at 9:51 AM, Fred Posner f...@teamforrest.com wrote: On Apr 13, 2010, at 8:04 AM, Hans Witvliet wrote: On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote: On Tue, 13 Apr 2010, Alyed wrote: Think we need some solution WITHIN the Asterisk core. Roderick A. suggested something that looks nice using iptables, some others have pointed out using RBL or fail2ban, but the best would be to have some generic solution not dependant on third party programs. I'd strongly disagree with this. (And I was the OP of this thread and had my home/office network connection taken down due to it) But then, I'm an old worldy Unix sysadmin and the philosophy of having a program do one thing well is still etched into my core... http://en.wikipedia.org/wiki/Unix_philosophy So get asterisk to do what it does well, then get something else that does what you need to do just as well - built-in to Linux are the iptables firewall rules. Use them! They are very effective and do work. (And you have a choice!) I'll agree with you here. Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) So a proper job for ip(6)tables, imho -- +1 for outside of asterisk. I want something that blocks it before it gets to the Asterisk processes. I've posted a little script on Team Forrest for how I'm blocking the traffic (using a quick perl script, iptables, and cron). The script is at http://bit.ly/cDHlLq ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote: Hi! Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) However, I *still* think Asterisk should provide a delayreject option in sip.conf to greatly slow down answering request avanlanches. That will help to address the bandwidth issue if the attacker is configured to wait for a response before starting the next request. Apart from that here are the most important messages: Use strong passwords in sip.conf, and use keys in iax.conf, and avoid usernames that can be guessed too easily (numbers from 100 to and first names). Agreed, best would be to only use ssl-certificates for authentication, but not all parts involved support that, (to put it mildly...) hw -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - Speaking of all these attacks, are there any good web managed security monitor tools for CentOS out there that can be installed on the system so that it can give us a visual of let's multiple failed attempts against SSH or HTTPd? Something nice that is simple and doesn't eat a lot resources and spits out everything on the screen? Thanks, Bruce How about http://www.ossec.net which you could later integrate with http://www.splunk.com/. -- Thanks - Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Cool. I am just looking over splunk. Isn't that enough by it's own? or is OSSEC needed to give it raw data? I think these two will take quite some time to understand. Anything simpler out there as well? Thanks, Bruce On Tue, Apr 13, 2010 at 10:42 AM, --[ UxBoD ]-- ux...@splatnix.net wrote: - Original Message - Speaking of all these attacks, are there any good web managed security monitor tools for CentOS out there that can be installed on the system so that it can give us a visual of let's multiple failed attempts against SSH or HTTPd? Something nice that is simple and doesn't eat a lot resources and spits out everything on the screen? Thanks, Bruce How about http://www.ossec.net which you could later integrate with http://www.splunk.com/. -- Thanks - Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - Cool. I am just looking over splunk. Isn't that enough by it's own? or is OSSEC needed to give it raw data? I think these two will take quite some time to understand. Anything simpler out there as well? Thanks, Bruce On Tue, Apr 13, 2010 at 10:42 AM, --[ UxBoD ]-- ux...@splatnix.net wrote: - Original Message - Speaking of all these attacks, are there any good web managed security monitor tools for CentOS out there that can be installed on the system so that it can give us a visual of let's multiple failed attempts against SSH or HTTPd? Something nice that is simple and doesn't eat a lot resources and spits out everything on the screen? Thanks, Bruce How about http://www.ossec.net which you could later integrate with http://www.splunk.com/ . OSSEC has a number of Asterisk rules already built it; including picking up failed SIP registrations. It also has the feature called Active Response which when a user defined threshold of failed events happen it is able to automatically add a IPtables/PF drop rule for the source IP. -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, Apr 13, 2010 at 04:32:58PM +0200, Hans Witvliet wrote: On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote: Hi! Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) However, I *still* think Asterisk should provide a delayreject option in sip.conf to greatly slow down answering request avanlanches. That will help to address the bandwidth issue if the attacker is configured to wait for a response before starting the next request. Apart from that here are the most important messages: Use strong passwords in sip.conf, and use keys in iax.conf, and avoid usernames that can be guessed too easily (numbers from 100 to and first names). Agreed, best would be to only use ssl-certificates for authentication, but not all parts involved support that, (to put it mildly...) Secure authentication won't solve the problem of attackers flodding your pipe. Especially not if you have ADSL or similar connection. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Hmmm. It would seem that it would be to Amazon's advantage to jump on this problem, because the accounts that are performing this activity are most likely purchased with stolen identities, and sooner or later the charges are going to get reversed. Either the credit card companies are going to absorb the cost, or the merchants (like Amazon) at the other end. And, after listening to merchants grumble about it, I'd assume that in the end, Amazon is going to get stiffed for the bill. On someone else's credit card, I'd imaging they have almost infinite resources; Bandwidth to burn, the best and most powerful hosts. So what if they rack up thousands of dollars? They are probably organized crime units in Romania or whatever. murf On Tue, Apr 13, 2010 at 11:21 AM, Tzafrir Cohen tzafrir.co...@xorcom.comwrote: On Tue, Apr 13, 2010 at 04:32:58PM +0200, Hans Witvliet wrote: On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote: Hi! Any aditional security within * is fine, but if someone is simply drowning your bandwith, action must be taken at a lower level. Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, mail, ssh, ldap, http, rsync, (or any other service you might be running) However, I *still* think Asterisk should provide a delayreject option in sip.conf to greatly slow down answering request avanlanches. That will help to address the bandwidth issue if the attacker is configured to wait for a response before starting the next request. Apart from that here are the most important messages: Use strong passwords in sip.conf, and use keys in iax.conf, and avoid usernames that can be guessed too easily (numbers from 100 to and first names). Agreed, best would be to only use ssl-certificates for authentication, but not all parts involved support that, (to put it mildly...) Secure authentication won't solve the problem of attackers flodding your pipe. Especially not if you have ADSL or similar connection. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.comjabber%3atzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Steve Murphy ParseTree Corp -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy m...@parsetree.com wrote: Hmmm. It would seem that it would be to Amazon's advantage to jump on this problem, I am pushing for this, please everyone who is suffering from this problem, submit it or write to complain to Amazon and post the message publicly wherever you can in a civilized, even lucid message to them. If you do it they will take notice. They need to see this as a problem in their space and take reasonable steps to either make it harder to abuse their service and/or easier to report the abuse, which they must then act upon. The thread here is an interesting discussion, but it can't compare to actual action they might take if your complaints reach them. They will need to act, but only if you force them to take notice. I believe Amazon has a chance to distinguish themselves from ISP who allow spammers to do mass mailings without any real challenge. They will act if you continue putting the message out there. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 13, 2010, at 4:22 PM, Randy R wrote: On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy m...@parsetree.com wrote: Hmmm. It would seem that it would be to Amazon's advantage to jump on this problem, I am pushing for this, please everyone who is suffering from this problem, submit it or write to complain to Amazon and post the message publicly wherever you can in a civilized, even lucid message to them. If you do it they will take notice. They need to see this as a problem in their space and take reasonable steps to either make it harder to abuse their service and/or easier to report the abuse, which they must then act upon. The thread here is an interesting discussion, but it can't compare to actual action they might take if your complaints reach them. They will need to act, but only if you force them to take notice. I believe Amazon has a chance to distinguish themselves from ISP who allow spammers to do mass mailings without any real challenge. They will act if you continue putting the message out there. /r The only person I've gotten to respond to me is Kay Kinton from Amazon's Public Relations. Although she responded, she will not take a phone call or discuss the issue over the phone. She gave me two statements so far, which I will be posting on VoIPTechChat.com (one's there already). Statement 1: Hello Fred and thank you for contacting us. Over the weekend, we received a report of a suspicious account and began an investigation. Our normal process is to connect the two involved parties to give them an opportunity to talk in case the abuse is not malicious but is simply heavy traffic from a legitimate customer. If that is not successful, we then move to isolate the traffic from the abusing party. Normally this process works quite well for situations our customers have encountered, however this incident has highlighted the need for an escalation process to address potentially malicious attacks more quickly. Additionally, we are working on quickly putting better protections and processes in place to better guard against unwanted SIP traffic. We take the security of our customers and our quality of service very seriously, and will continue to work to improve our processes and services for customers. /end statement 1 This was of course was while attacks were continuing so I asked for a discussion and sent her several questions when she told me what else can I tell you. Today I received statement 2: Hello Fred. We believe that we've identified and shut down the illegal activity and are closing the loop with customers. We'd certainly be interested in hearing of the cases you refer to below so we can follow up. /end statement 2. So.. since she's interested... please let her know how they did not respond to your complaints, the attacks, and well, any of the concerns you have to which she should follow up: Kay Kinton kin...@amazon.com Public Relations Manager Amazon Web Services Phone: 206-266-8387 ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote: Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil I love the idea of a RBL... count me in for contributing. Especially considering the ridiculous response I received from Amazon. (Basically told me to submit host, destination, port, proto, and log... which of course was already included in the original complaint) ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - Am 11.04.2010 17:05, schrieb Mark Smith: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Hi Mark! your little iptables magic is a very good idea! Implementation took 1 minute :-) I'll use it until a better idea comes up ... (which I don't expect within a short term) Thank you! Norbert Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
I got the same generic response, asking me to submit the same info which I had already submitted. This clearly show they are not interested in tracing just another hacker on their cloud. Zeeshan A Zakaria -- Sent from my Android phone with K-9 Mail. On 2010-04-12 9:24 AM, Fred Posner f...@teamforrest.com wrote: On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote: Perhaps if there was a Asterisk RBL we ... I love the idea of a RBL... count me in for contributing. Especially considering the ridiculous response I received from Amazon. (Basically told me to submit host, destination, port, proto, and log... which of course was already included in the original complaint) ---fred http://qxork.com -- _ -- Bandwidth and Colocat... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
If RBL or something is practical, I'm in too. But at what level these hackers will be blocked? Unless some big ISPs cooprate, it is not much of use. Zeeshan A Zakaria -- Sent from my Android phone with K-9 Mail. On 2010-04-12 9:24 AM, Fred Posner f...@teamforrest.com wrote: On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote: Perhaps if there was a Asterisk RBL we ... I love the idea of a RBL... count me in for contributing. Especially considering the ridiculous response I received from Amazon. (Basically told me to submit host, destination, port, proto, and log... which of course was already included in the original complaint) ---fred http://qxork.com -- _ -- Bandwidth and Colocat... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 12, 2010, at 8:17 AM, Fred Posner wrote: On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote: Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil I love the idea of a RBL... count me in for contributing. I would contribute to this as well. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Mon, Apr 12, 2010 at 3:52 PM, Zeeshan Zakaria zisha...@gmail.com wrote: If RBL or something is practical, I'm in too. But at what level these hackers will be blocked? Unless some big ISPs cooprate, it is not much of use. I've been following this with much interest. I don't see RBL (which I use extensively for email) as doing much. SOme activity on Twitter already. Perhaps a hashtag #EC2exploit or something better is needed? Harness the famous power of social media. Start making it clear, in a concise, specific a,d policte/civil way that Amazion needs to do something about this. They need to put in place a fast reporting system, one that can take the IP, timestamp and the nature of the complaint and have someone investigate the activity quickly. This can turn into a telephony botnet if they don't get the s**t together. The effect of proper action against the abuse goes further than just preventing individual attacks, it can help stop cvriminal networks from growing up. Use your own publishing power to to state your case out there: Your blog, Linkedin, Facebook, Twitter, Google Buzz, emails whatever weapons you have at hand to send Amazon a message. I'm a longtime Amazon customer for all their products including S3 and Cloudburst, I will write them about what I think. I suggest you all do the same. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
This thread needs to go into a RBL - guess I'm being part of the problem, not the solution... -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Owen Sent: Monday, April 12, 2010 9:04 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... On Apr 12, 2010, at 8:17 AM, Fred Posner wrote: On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote: Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil I love the idea of a RBL... count me in for contributing. I would contribute to this as well. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Good article - might solve our problems for now: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood He got the bots to stop by writing a ruby script that responds back to them with a SIP 200 OK. I'm going give it a go when I'm back home... Cheers, Tom -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On 12 Apr 2010, at 17:30, Tom Stordy-Allison wrote: Good article - might solve our problems for now: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood He got the bots to stop by writing a ruby script that responds back to them with a SIP 200 OK. I'm going give it a go when I'm back home... Send a 'moved temporarily' SIP message and redirect it back to them? ;) S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On 04/12/2010 08:17 AM, Fred Posner wrote: On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote: Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil I love the idea of a RBL... count me in for contributing. Especially considering the ridiculous response I received from Amazon. (Basically told me to submit host, destination, port, proto, and log... which of course was already included in the original complaint) I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ We could establish something similar to that for VOIP attacks. It may not be exactly a trivial system to maintain such a list. (removing IP's after X amount of time, disputing false claims etc). Maybe someone could contact spamhaus to create a list for VOIP since they seem to have a nice system in place? Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman dhart...@djhsolutions.com wrote: I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ Because this is in Amazon's interest, THEY should set up a way to report these. Once you detect (in a script) that this is in their range, a redirect would feed their own log with all the data they'd need to proceed. This would work well, especially if they made you register your calling IP to them, or authenticate. That way your server and IP is on record and the report authenticated. Isn't this reasonable? /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 12, 2010, at 1:05 PM, Randy R wrote: On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman dhart...@djhsolutions.com wrote: I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ Because this is in Amazon's interest, THEY should set up a way to report these. Once you detect (in a script) that this is in their range, a redirect would feed their own log with all the data they'd need to proceed. This would work well, especially if they made you register your calling IP to them, or authenticate. That way your server and IP is on record and the report authenticated. Isn't this reasonable? /r I have ZERO trust in Amazon at the moment. Their AWS form to report abuse fails. And despite all of our complaints, attacks continue. I do like the idea of using something that's third party and then it's up to amazon to police itself to keep off of that list... just like every other ISP/IPP/NOC. ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On 04/12/2010 12:05 PM, Randy R wrote: On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman dhart...@djhsolutions.com wrote: I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ Because this is in Amazon's interest, THEY should set up a way to report these. Once you detect (in a script) that this is in their range, a redirect would feed their own log with all the data they'd need to proceed. This would work well, especially if they made you register your calling IP to them, or authenticate. That way your server and IP is on record and the report authenticated. Isn't this reasonable? Randy, That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - On 04/12/2010 12:05 PM, Randy R wrote: On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman dhart...@djhsolutions.com wrote: I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ Because this is in Amazon's interest, THEY should set up a way to report these. Once you detect (in a script) that this is in their range, a redirect would feed their own log with all the data they'd need to proceed. This would work well, especially if they made you register your calling IP to them, or authenticate. That way your server and IP is on record and the report authenticated. Isn't this reasonable? Randy, That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com Hence something like a RBL. I know the original OP was concerned about the bandwidth but TBH that is no different than rejecting rogue NetBios traffic that hits your router. It will still take away from your bandwidth cap. -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Darrick Hartman wrote: On 04/12/2010 12:05 PM, Randy R wrote: On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman dhart...@djhsolutions.com wrote: snip / Randy, That only addresses EC2 (and assumes that Amazon has any interest in protecting their reputation). What about attacks that come from other locations? Granted it's pretty easy to buy time on an EC2 server so this may be the primary source for a period of time. What is a reasonable number of connections attempts per minute? I have a iptables rule set I use against SSH floods (script kiddies) that I think could be adapted to work with the method shown at: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood My settings allow up to 4 connection attempts per minute and if exceeded the connection gets dropped. There is a whitelist setting that allows IPs or ranges to get past this. (I need this for Linux-Vserver guests as I may connect to more than 4 in a one minute period.) The this rule set doesn't need to know where the connection came from. If it tries over four in a minute and it gets dropped. I run Asterisk for my _very_ small business and provide some support for another small business. Neither of us has experienced these floods so I don't know what a reasonable number of connection attempts per minute (per second?) would be. Anyway here is the -- untested -- iptables rules: -N SIPREG_WL -A SIPREG_WL -s 192.168.0.88 -m recent --remove --name SIPREG -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --set --name SIPREG -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -j SIPREG_WL -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SIPREG -j REDIRECT --to-port 5061 \\||/ Rod -- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2
Perhaps if there was a Asterisk RBL we could all contribute to; for which we could then hook into and drop any connection where a source IP is listed ? -- Thanks, Phil I love the idea of a RBL... count me in for contributing. Especially considering the ridiculous response I received from Amazon. (Basically told me to submit host, destination, port, proto, and log... which of course was already included in the original complaint) I don't think anyone else brought up the Spamhaus DROP project. It's a blacklist of IP addresses and address ranges which are known to ONLY be used for malicious purposes. http://www.spamhaus.org/drop/ We could establish something similar to that for VOIP attacks. It may not be exactly a trivial system to maintain such a list. (removing IP's after X amount of time, disputing false claims etc). Maybe someone could contact spamhaus to create a list for VOIP since they seem to have a nice system in place? Hi All, good discussion, similar to ones we had a year or so ago. The RBL concept is valid, at least to get a repository going that list malicious activity specific to SIP attacks. n I worked with Project Honeypot guys for a while, they are more than willing to assist, as they already have the backend work done for a clearing house identifying hackers. The biggest issue we had a year ago was to create the mechanism in asterisk to push valid log messages out to the database and then determine what to do with that data? I tried to bridge the gap between a few Asterisk developers and the Honeypot developers, ultimately the project stalled and I got busy with other matters. If anyone here would like to pick up the torch and move this along, I can certainly provide info on how far along we got and contact info for the parties involved. Please contact me if you have time to work on this and are interested. I'm sure the Project Honeypot guys will be willing to pick this project back up and work on it. Thanks. JR -- JR Richardson Engineering for the Masses -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson gordon+aster...@drogon.net wrote: Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. Same her but 184.73.17.122. Look what they did to my latency, Gordon:- http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png I've had bookmarks to Fail2Ban links on my desktop for a year now. Guess I'll have to do something about it. If, hypothetically, I'd put that IP into hosts.deny - would it have stopped them? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sun, 11 Apr 2010, David Quinton wrote: On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson gordon+aster...@drogon.net wrote: Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. Same her but 184.73.17.122. Ah, so not just me then. Looks like someone is (ab)using EC2 to try to hack peoples systems, and they're not doing it nicely. 200 SIP registrations a second was enough to have a big impact on my 500MHz system. Look what they did to my latency, Gordon:- http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png Oddly enough my latency wasn't being affected at all - however what I was seeing was my ADSL router being cripped with 200 packets a second in out - to the extent that something would go bang inside it and it would drop the PPPoA session and then re-start. This was an old Draytek 2600 - I replaced it with a new Draytek 2820 and it was them fine. I've had bookmarks to Fail2Ban links on my desktop for a year now. Guess I'll have to do something about it. Fail2ban needs python which I won't run on a PBX, however there are many iptables runes to help anyway without the need to trawl through log-files. However, I've blocked it in the draytek aynway. The issue for me (and I suspect others) is that while we can firewall it, the data is still coming down the wires and for those of us who pay per byte transfered (or have fixed monthly caps on their broadband services) it could end up costing money or getting you cut-off. If, hypothetically, I'd put that IP into hosts.deny - would it have stopped them? /etc/hosts.deny ? No. That would not have stopped it. Although I've just checked it might - if it's using tcp-wrappers and there is a post about it http://www.mail-archive.com/asterisk-...@lists.digium.com/msg36772.html but I don't know if it's implemented yet. I emailled Amazon on their ec2-abuse address yesterday, but have not had a reply. My bet is that as long as they get the money, they don't care. My broadband ISP is slow to react to support emails of this nature and I'm not sure they would block it anyway. I know my upstream hosting ISP would block it at their borders immediately if I asked, but fortunately they've not attacked them - yet. It's still going on - and has been since 6am yesterday - that's now 26 hours. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sun, 11 Apr 2010 08:09:02 +0100 (BST), Gordon Henderson gordon+aster...@drogon.net wrote: Look what they did to my latency, Gordon:- http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png Oddly enough my latency wasn't being affected at all - however what I was seeing was my ADSL router being cripped with 200 packets a second in out - to the extent that something would go bang inside it and it would drop the PPPoA session and then re-start. This was an old Draytek 2600 - I replaced it with a new Draytek 2820 and it was them fine. I replaced my old 2600 with a BT Business hub a few months ago. The log seemed say that there were loads of corected packets. The annoying thing is that I was (trying to) work at the time and I saw the LED flashing incessantly. I checked the ther Linux box and did a netstat and saw nothing awry, an I thought I'd done the same on the Asterisk box. Obviously I should have looked at teh log file, because it was very obvious when I looked this morning! It's still going on - and has been since 6am yesterday - that's now 26 hours. Hasn't restarted here yet Fingers crossed. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
- Original Message - On Sun, 11 Apr 2010, David Quinton wrote: On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson gordon+aster...@drogon.net wrote: Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. Same her but 184.73.17.122. Ah, so not just me then. Looks like someone is (ab)using EC2 to try to hack peoples systems, and they're not doing it nicely. 200 SIP registrations a second was enough to have a big impact on my 500MHz system. Look what they did to my latency, Gordon:- http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png Oddly enough my latency wasn't being affected at all - however what I was seeing was my ADSL router being cripped with 200 packets a second in out - to the extent that something would go bang inside it and it would drop the PPPoA session and then re-start. This was an old Draytek 2600 - I replaced it with a new Draytek 2820 and it was them fine. I've had bookmarks to Fail2Ban links on my desktop for a year now. Guess I'll have to do something about it. Fail2ban needs python which I won't run on a PBX, however there are many iptables runes to help anyway without the need to trawl through log-files. However, I've blocked it in the draytek aynway. The issue for me (and I suspect others) is that while we can firewall it, the data is still coming down the wires and for those of us who pay per byte transfered (or have fixed monthly caps on their broadband services) it could end up costing money or getting you cut-off. If, hypothetically, I'd put that IP into hosts.deny - would it have stopped them? /etc/hosts.deny ? No. That would not have stopped it. Although I've just checked it might - if it's using tcp-wrappers and there is a post about it http://www.mail-archive.com/asterisk-...@lists.digium.com/msg36772.html but I don't know if it's implemented yet. I emailled Amazon on their ec2-abuse address yesterday, but have not had a reply. My bet is that as long as they get the money, they don't care. My broadband ISP is slow to react to support emails of this nature and I'm not sure they would block it anyway. I know my upstream hosting ISP would block it at their borders immediately if I asked, but fortunately they've not attacked them - yet. It's still going on - and has been since 6am yesterday - that's now 26 hours. Gordon Gordon, I have one a while ago hitting my system from EC2. Like yourself I did report it though it took about 24 hours for them to get back to me. They asked for proof that the attack was from one of their IP spaces. I sent the necessary information and the attack did stop. It would be nice if they reacted a bit quicker; though I guess it depends on how many people are reporting issues. In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would monitor for failed SIP registrations. If a few occurred within a short space of time the Active Response kicks in and blocks the IP address using IPTables. -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Gordon Henderson a écrit : Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. List of Amazon IP's from which we already have been attacked on several of our servers in Europe (blocked with Fail2Ban): 75.101.195.70 79.125.30.56 184.72.6.92 184.73.70.8 184.73.21.31 184.73.16.184 204.236.169.224 We also faced attack from China, Germany, Romania, Israel and Palestine -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote: In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would monitor for failed SIP registrations. If a few occurred within a short space of time the Active Response kicks in and blocks the IP address using IPTables. -- Thanks, Phil Cheers - but it's not blocking that's the real issue, that's trivial in my router or on the PBX, it's that my monthly ADSL data cap is being used up and my ISP is not responding (actually, they might if I phone them, but it's not desperate right now as I'm unlimited at the weekend), and neither is Amazon. My currently monthly peak-time cap is 45GB - 8am to 8pm and they seem to be eating up some 7-10GB a day... So I might actually be OK and can just weather it out, but it's still annoying. I'm tempted to just block all of Amazons EC2 and say to hell with them. Shouldn't be too hard to track them down - eg. from whois on that IP: NetRange: 72.44.32.0 - 72.44.63.255 CIDR: 72.44.32.0/19 NetName:AMAZON-EC2-2 NetRange: 75.101.128.0 - 75.101.255.255 CIDR: 75.101.128.0/17 NetName:AMAZON-EC2-4 NetRange: 67.202.0.0 - 67.202.63.255 CIDR: 67.202.0.0/18 NetName:AMAZON-EC2-3 NetRange: 174.129.0.0 - 174.129.255.255 CIDR: 174.129.0.0/16 NetName:AMAZON-EC2-5 NetRange: 204.236.128.0 - 204.236.255.255 CIDR: 204.236.128.0/17 NetName:AMAZON-EC2-6 NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 NetName:AMAZON-EC2-7 (so much for running out of ipv4 address space when amazon has millions) And there are well knowing published lists from all chinese hosts, etc. too. Easy enough too cook up iptables to allow data from sites I connect out to, but block all incoming new connections. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
My experience is that as long as the hackers are getting any kind of response from your server, they'll keep their attack on, in a hope that they'll get into your system sooner or later. After all it is just some computers doing the work for them, no human is phycally getting tired here. This is why when you block them in your iptables, and they stop getting response from your end, i.e. no ping reply, no sip response, nothing basically, then they eventually take their attack somewhere else probably because they (or their hack attempt software) either assume that the ip they were attacking is no longer valid for the attack or the user has taken enough security measures that attacking him is not worth the effort. On the contrary, my experience, if you don't block them, eventually attacks increase. Probably they let their other hacker friends know too that your server is a good candidate for hack attempt. Obvoiously its only the ISPs who can truly stop such attacks by blocking them at their routers. If the hackers decide to keep bugging you, unfortunately nothing can you do to protect your bandwdith waste. But I wonder if one's router doesn't respond back, e.g. it is physically off, and someone is doing such an attack, do the ISPs still consider it bandwidth usage? Zeeshan A Zakaria -- Sent from my Android phone with K-9 Mail. On 2010-04-11 7:41 AM, Gordon Henderson gordon+aster...@drogon.netgordon%2baster...@drogon.net wrote: On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote: In the end I set up OSSEC (http://www.ossec.net) and wr... Cheers - but it's not blocking that's the real issue, that's trivial in my router or on the PBX, it's that my monthly ADSL data cap is being used up and my ISP is not responding (actually, they might if I phone them, but it's not desperate right now as I'm unlimited at the weekend), and neither is Amazon. My currently monthly peak-time cap is 45GB - 8am to 8pm and they seem to be eating up some 7-10GB a day... So I might actually be OK and can just weather it out, but it's still annoying. I'm tempted to just block all of Amazons EC2 and say to hell with them. Shouldn't be too hard to track them down - eg. from whois on that IP: NetRange: 72.44.32.0 - 72.44.63.255 CIDR: 72.44.32.0/19 NetName:AMAZON-EC2-2 NetRange: 75.101.128.0 - 75.101.255.255 CIDR: 75.101.128.0/17 NetName:AMAZON-EC2-4 NetRange: 67.202.0.0 - 67.202.63.255 CIDR: 67.202.0.0/18 NetName:AMAZON-EC2-3 NetRange: 174.129.0.0 - 174.129.255.255 CIDR: 174.129.0.0/16 NetName:AMAZON-EC2-5 NetRange: 204.236.128.0 - 204.236.255.255 CIDR: 204.236.128.0/17 NetName:AMAZON-EC2-6 NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 NetName:AMAZON-EC2-7 (so much for running out of ipv4 address space when amazon has millions) And there are well knowing published lists from all chinese hosts, etc. too. Easy enough too cook up iptables to allow data from sites I connect out to, but block all incoming new connections. Gordon -- _ -- Bandwidth and Colocati... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sun, 11 Apr 2010, Zeeshan Zakaria wrote: My experience is that as long as the hackers are getting any kind of response from your server, they'll keep their attack on, in a hope that they'll get into your system sooner or later. After all it is just some computers doing the work for them, no human is phycally getting tired here. This is why when you block them in your iptables, and they stop getting response from your end, i.e. no ping reply, no sip response, nothing basically, then they eventually take their attack somewhere else probably because they (or their hack attempt software) either assume that the ip they were attacking is no longer valid for the attack or the user has taken enough security measures that attacking him is not worth the effort. On the contrary, my experience, if you don't block them, eventually attacks increase. Probably they let their other hacker friends know too that your server is a good candidate for hack attempt. Very probably true... Obvoiously its only the ISPs who can truly stop such attacks by blocking them at their routers. If the hackers decide to keep bugging you, unfortunately nothing can you do to protect your bandwdith waste. But I wonder if one's router doesn't respond back, e.g. it is physically off, and someone is doing such an attack, do the ISPs still consider it bandwidth usage? Intersting - I'm not sure. Currently my router isn't responding, but it still has to soak up the packet, and as it's being counted from the ISPs end, it's probably being 'counted' towards my allowance. I don't particularly want to turn it off though - I do all sorts of automated backups, etc. overnight as well as monitoring of my hosted servers, customers, etc However, I've just had a reply back from Amazon to say that they have contacted the hosts owner - but that was just over an hour ago, and when I removed the firewall rules, they're still trying )-: Is there any way to sniff the SIP password they're trying? It'd be intersting to see what passwords they're guessing - they're trying just one account rather than accounts at random. I've played with sipdump and sipcrack - looks like they're trying a different password each time though. Ho hum. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Hello to everyone! Same here (Vienna, Austria). I had this attack yesterday 6am (local time) from IP 216.105.128.63 whois 216.105.128.63 returns: OrgName:Globalvision OrgID: ACSIN-3 Address:78 Global Drive Address:Suite 101 City: Greenville StateProv: SC PostalCode: 29607 Country:US NetRange: 216.105.128.0 - 216.105.159.255 CIDR: 216.105.128.0/19 NetName:ACSINC-BLK-1 NetHandle: NET-216-105-128-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ACSINC.NET NameServer: NS2.ACSINC.NET Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate:1998-10-19 Updated:2004-12-08 OrgTechHandle: HOSTM560-ARIN OrgTechName: Hostmaster OrgTechPhone: +1-864-467-1333 OrgTechEmail: hostmas...@acsinc.net In my case, the attack started at 05:57:45. Asterisk: 1.2.12.1 They sent 14.288 Register requests trying some common users like test,admin,sip,user,123,1234, and so on. Then they started just counting up from user 0 (0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,.) and this way, they found valid users until 05:59:09 which is 1 minute and 24 seconds or 170 Registers/second After that, they started to send 66.267 registers until 06:24:08 only with the found users with random password combinations. 66.267 reg / 1.499 seconds = 44 regs/second A classic brute force attack. Interesting that the password attacks came slower than the userid attacks... At 6:24:23 asterisk obviously crashed because there wered no more log entries. I noticed the incident because my office phone number was not reachable when I tried in the morning. My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress range. I wonder if everything would become a little bit more secure if define them with host=192.168.X.X in sip.conf instead of host=dynamic. I tried it as a quick shot but it didn't work as they still try to register. Does someone know if this was possible and where/how to configure it on the snom side? greetings, Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Hi! My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress range. I wonder if everything would become a little bit more secure if define them with host=192.168.X.X in sip.conf instead of host=dynamic. I tried it as a quick shot but it didn't work as they still try to register. Does someone know if this was possible and where/how to configure it on the snom side? Unfortunately you cannot tell the SNOM to not register for an active identity - at least not in the web UI. :-( Instead use permit/deny in sip.conf for your SIP clients, and most importantly: Use strong (and long) passwords. Philipp -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
I don't k know if there is a tool to sniff passwords, but did you check in /va/log/asterisk/full? Maybe wireshark can be used for this purpose, but it'll be not that straight forward. Interestingly I checked log of my server and found out that I was also under attack yesterday by an Amazon cloud server, IP 184.73.53.22. Thanks to fail2ban the IP was blocked. But I guess I am now used to these attacks as it is a routine now and so far fail2ban is working fine for me. But my server (and now yours too) is in some hackers list of asterisk favourites and will keep getting under attack. I'll now send an email to Amazon. Zeeshan A Zakaria -- Sent from my Android phone with K-9 Mail. On 2010-04-11 9:42 AM, Norbert Zawodsky norb...@zawodsky.at wrote: Hello to everyone! Same here (Vienna, Austria). I had this attack yesterday 6am (local time) from IP 216.105.128.63 whois 216.105.128.63 returns: OrgName:Globalvision OrgID: ACSIN-3 Address:78 Global Drive Address:Suite 101 City: Greenville StateProv: SC PostalCode: 29607 Country:US NetRange: 216.105.128.0 - 216.105.159.255 CIDR: 216.105.128.0/19 NetName:ACSINC-BLK-1 NetHandle: NET-216-105-128-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: NS1.ACSINC.NET NameServer: NS2.ACSINC.NET Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate:1998-10-19 Updated:2004-12-08 OrgTechHandle: HOSTM560-ARIN OrgTechName: Hostmaster OrgTechPhone: +1-864-467-1333 OrgTechEmail: hostmas...@acsinc.net In my case, the attack started at 05:57:45. Asterisk: 1.2.12.1 They sent 14.288 Register requests trying some common users like test,admin,sip,user,123,1234, and so on. Then they started just counting up from user 0 (0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,.) and this way, they found valid users until 05:59:09 which is 1 minute and 24 seconds or 170 Registers/second After that, they started to send 66.267 registers until 06:24:08 only with the found users with random password combinations. 66.267 reg / 1.499 seconds = 44 regs/second A classic brute force attack. Interesting that the password attacks came slower than the userid attacks... At 6:24:23 asterisk obviously crashed because there wered no more log entries. I noticed the incident because my office phone number was not reachable when I tried in the morning. My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress range. I wonder if everything would become a little bit more secure if define them with host=192.168.X.X in sip.conf instead of host=dynamic. I tried it as a quick shot but it didn't work as they still try to register. Does someone know if this was possible and where/how to configure it on the snom side? greetings, Norbert -- _ -- Bandwidth and Colocati... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 11, 2010, at 10:06 AM, Zeeshan Zakaria wrote: I don't k know if there is a tool to sniff passwords, but did you check in /va/log/asterisk/full? Maybe wireshark can be used for this purpose, but it'll be not that straight forward. Interestingly I checked log of my server and found out that I was also under attack yesterday by an Amazon cloud server, IP 184.73.53.22. Thanks to fail2ban the IP was blocked. But I guess I am now used to these attacks as it is a routine now and so far fail2ban is working fine for me. But my server (and now yours too) is in some hackers list of asterisk favourites and will keep getting under attack. I'll now send an email to Amazon. Zeeshan A Zakaria -- We were also attacked from 184.73.53.2 yesterday and sent an email to their abuse (with no response). The interesting thing about this attack, was instead of just making registration attempts, it also tried to call extensions first... our dialplan doesn't allow for either but was unusual in that most aren't trying to dial an extension before regging them. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
--[ UxBoD ]-- uxbod at splatnix.net writes: - Original Message - On Sun, 11 Apr 2010, David Quinton wrote: On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson gordon+asterisk at drogon.net wrote: Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. Same her but 184.73.17.122. Ah, so not just me then. Looks like someone is (ab)using EC2 to try to hack peoples systems, and they're not doing it nicely. 200 SIP registrations a second was enough to have a big impact on my 500MHz system. Look what they did to my latency, Gordon:- http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png Oddly enough my latency wasn't being affected at all - however what I was seeing was my ADSL router being cripped with 200 packets a second in out - to the extent that something would go bang inside it and it would drop the PPPoA session and then re-start. This was an old Draytek 2600 - I replaced it with a new Draytek 2820 and it was them fine. I've had bookmarks to Fail2Ban links on my desktop for a year now. Guess I'll have to do something about it. Fail2ban needs python which I won't run on a PBX, however there are many iptables runes to help anyway without the need to trawl through log-files. However, I've blocked it in the draytek aynway. The issue for me (and I suspect others) is that while we can firewall it, the data is still coming down the wires and for those of us who pay per byte transfered (or have fixed monthly caps on their broadband services) it could end up costing money or getting you cut-off. If, hypothetically, I'd put that IP into hosts.deny - would it have stopped them? /etc/hosts.deny ? No. That would not have stopped it. Although I've just checked it might - if it's using tcp-wrappers and there is a post about it http://www.mail-archive.com/asterisk-dev at lists.digium.com/msg36772.html but I don't know if it's implemented yet. I emailled Amazon on their ec2-abuse address yesterday, but have not had a reply. My bet is that as long as they get the money, they don't care. My broadband ISP is slow to react to support emails of this nature and I'm not sure they would block it anyway. I know my upstream hosting ISP would block it at their borders immediately if I asked, but fortunately they've not attacked them - yet. It's still going on - and has been since 6am yesterday - that's now 26 hours. Gordon Gordon, I have one a while ago hitting my system from EC2. Like yourself I did report it though it took about 24 hours for them to get back to me. They asked for proof that the attack was from one of their IP spaces. I sent the necessary information and the attack did stop. It would be nice if they reacted a bit quicker; though I guess it depends on how many people are reporting issues. In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would monitor for failed SIP registrations. If a few occurred within a short space of time the Active Response kicks in and blocks the IP address using IPTables. Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Its a good idea tos setup Fail2ban, instructions for which are on voip-info.org. It at least blocks such IP addresses, hopefully prompting the attackers to move their attack somewhere else and leave you alone. I personally use Fail2ban, it works but wont keep you from flooding your line. My last attacker kept trying for 3 days Another good idea is to lookup in whois database this IP address and see if you can find contact info for the person responsible for this IP address. Then contact them and let them know about this incident. You can also try to ask your ISP if they can block it on their end. Fail2ban can send you a Whois info about every blocked IP. Im just not sure if any kind of reporting will help :-( Zeeshan A Zakaria Martin L -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
I always report at least. This is still better than not bringing it to their attention. I once worked in the NOC of a big data centre of a major ISP, and we often get calls regarding IPs from our data centers involved in spams and hacks, but unless there were a number of complaints, nobody had time or resources to dedicate them on verifying the validity of individual complaints and take some action. Zeeshan A Zakaria -- Sent from my Android phone with K-9 Mail. On 2010-04-11 1:41 PM, Martin r...@atlas.cz wrote: Its a good idea tos setup Fail2ban, instructions for which are on voip-info.org. It at least bloc... I personally use Fail2ban, it works but wont keep you from flooding your line. My last attacker kept trying for 3 days Another good idea is to lookup in whois database this IP address and see if you can find contact... Fail2ban can send you a Whois info about every blocked IP. Im just not sure if any kind of reporting will help :-( Zeeshan A Zakaria Martin L -- _ -- Bandwidth and Colocation Pr... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Am 11.04.2010 17:05, schrieb Mark Smith: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Hi Mark! your little iptables magic is a very good idea! Implementation took 1 minute :-) I'll use it until a better idea comes up ... (which I don't expect within a short term) Thank you! Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Hi, This is exactly what I've just joined this mailing list about. Has anyone has any luck getting Amazon to stop the instances? I'm stuck with around 700Kbps of my 2.5Mbps inbound in use as my firewall blocks the requests as below. Cheers, Tom -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Norbert Zawodsky Sent: 11 April 2010 20:57 To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... Am 11.04.2010 17:05, schrieb Mark Smith: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Hi Mark! your little iptables magic is a very good idea! Implementation took 1 minute :-) I'll use it until a better idea comes up ... (which I don't expect within a short term) Thank you! Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Norbert Zawodsky norbert at zawodsky.at writes: Am 11.04.2010 17:05, schrieb Mark Smith: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Hi Mark! your little iptables magic is a very good idea! Implementation took 1 minute I'll use it until a better idea comes up ... (which I don't expect within a short term) Thank you! Norbert Hi Norbert An absolute pleasure. It goes without saying the best idea is for Amazon to realise it's systems are being abused by this type of moron and shut them down, once and for all. It's all very good offering cloud-computing services but more responsibility needs to be enforced by the provider. The iptables solution is obviously not the ultimate solution to the problem but it don't half stop the devastating consequences of it such as very poor latency and jittery phone-calls due to the crippled upstreamed. Kindest regards Mark Smith MSIT Group Ltd -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
FWIW, we're seeing similar attacks. The below is what I posted on NANOG earlier, which summarizes Amazon's stellar abuse response. I've also received an off-list e-mail from someone who was getting hit with 6Gbps of traffic from them (and was not able to reach anyone there either). Time to start blocking them at the edge. Let their customers complain to them instead. -Original Message- From: Erik L Sent: April 11, 2010 10:38 To: na...@nanog.org Subject: Seeking Amazon EC2 abuse contact Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact details of someone there? E-mailing the abuse e-mail listed in WHOIS per their instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in There has been an error while submitting your data. Please try again later. Calling their supposed NOC (as per WHOIS) results in You have reached the legal department at Amazon...please leave a message. Thanks -- Erik Caneris Inc. Tel: 647-723-6365 Fax: 647-723-5365 Toll-free: 1-888-444-8843 www.caneris.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 We reported abuse Saturday morning... As of yet, no change in traffic. I have sent requests upstream to filter all UDP/5060 traffic from EC-2 range to stop the DDOS that we are under, but have only gotten 2 of our 4 providers to comply. At this point, I guess well all just ride it out... Stu Tom Stordy-Allison wrote: Hi, This is exactly what I've just joined this mailing list about. Has anyone has any luck getting Amazon to stop the instances? I'm stuck with around 700Kbps of my 2.5Mbps inbound in use as my firewall blocks the requests as below. Cheers, Tom -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Norbert Zawodsky Sent: 11 April 2010 20:57 To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... Am 11.04.2010 17:05, schrieb Mark Smith: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Hi Mark! your little iptables magic is a very good idea! Implementation took 1 minute :-) I'll use it until a better idea comes up ... (which I don't expect within a short term) Thank you! Norbert -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCAAGBQJLwi4rAAoJEFKVLITDJSGSrY4QAL1KGKvm1vZIskueMyV0Heau 3/IbbdHNYxWIj6xTm9bYH9b7DzQjiRx88Ox3vFppnXf3AR9+qD0hUSaaQwJBwNJp LJ33vCqXGURjbib9tJkjzNJo3pz7FUS6rzwffpoVrzXmobrPJRmHSFswB3gKmXO5 UD6UrbY/SHuq1oJZG07F4cTyA2Dssq/T7eQiNG9ZcH3w4BW7ZBurbELFDIzfjF81 5d5/n7+9f4fg8R95YjBM+qnZYK74Ht2JPr27XmFxn2XGOrCgPyWe605j4fGm9sr8 LIpnDx/KN9cLQpGyzauF7xuv9TZj1F81RVYFg3Gms6k8MsPj0B6tKguASiSb8efq d9goqG0lrQEcef/B2PLGD3yOjenpSDGFk9dLItWxnaJX3l0QhuK8nlNkuRiqTyrT Vp74ky5ewDb+YxoowA/gfosyWLx/YfaN9N6fizUXabJZPffzAI7PqAEChZje14r4 lobsN4BWFTt80IqfEdmwQUcMiyktXmtkTsN1YbS7GYKbAPeNdArpvCFar8yKSla6 JsbCFSUelmodj4mU85ZmgHBup6u5NTiq4Z5FVUQvFrL5P79J9IGr9ewiz+/DzyDK 2f2MA/6P9a3hoBauGdU+FBvSP4TMp75Ntho28IHyRIz2Zz3FHedAcuIPavO+AbHv EQ4ocAwQBX6fJvpYQwIm =I4n1 -END PGP SIGNATURE- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Yeah - I've reported it to the EC2 abuse address about 10 hours ago, with no response as of yet. I'm waiting on my ISP to see if they can block anything further upstream. I should be lucky it's not 6Gbps like some! Cheers, Tom -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Stuart Sheldon Sent: 11 April 2010 21:17 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 We reported abuse Saturday morning... As of yet, no change in traffic. I have sent requests upstream to filter all UDP/5060 traffic from EC-2 range to stop the DDOS that we are under, but have only gotten 2 of our 4 providers to comply. At this point, I guess well all just ride it out... Stu Tom Stordy-Allison wrote: Hi, This is exactly what I've just joined this mailing list about. Has anyone has any luck getting Amazon to stop the instances? I'm stuck with around 700Kbps of my 2.5Mbps inbound in use as my firewall blocks the requests as below. Cheers, Tom -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Norbert Zawodsky Sent: 11 April 2010 20:57 To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ... Am 11.04.2010 17:05, schrieb Mark Smith: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Hi Mark! your little iptables magic is a very good idea! Implementation took 1 minute :-) I'll use it until a better idea comes up ... (which I don't expect within a short term) Thank you! Norbert -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCAAGBQJLwi4rAAoJEFKVLITDJSGSrY4QAL1KGKvm1vZIskueMyV0Heau 3/IbbdHNYxWIj6xTm9bYH9b7DzQjiRx88Ox3vFppnXf3AR9+qD0hUSaaQwJBwNJp LJ33vCqXGURjbib9tJkjzNJo3pz7FUS6rzwffpoVrzXmobrPJRmHSFswB3gKmXO5 UD6UrbY/SHuq1oJZG07F4cTyA2Dssq/T7eQiNG9ZcH3w4BW7ZBurbELFDIzfjF81 5d5/n7+9f4fg8R95YjBM+qnZYK74Ht2JPr27XmFxn2XGOrCgPyWe605j4fGm9sr8 LIpnDx/KN9cLQpGyzauF7xuv9TZj1F81RVYFg3Gms6k8MsPj0B6tKguASiSb8efq d9goqG0lrQEcef/B2PLGD3yOjenpSDGFk9dLItWxnaJX3l0QhuK8nlNkuRiqTyrT Vp74ky5ewDb+YxoowA/gfosyWLx/YfaN9N6fizUXabJZPffzAI7PqAEChZje14r4 lobsN4BWFTt80IqfEdmwQUcMiyktXmtkTsN1YbS7GYKbAPeNdArpvCFar8yKSla6 JsbCFSUelmodj4mU85ZmgHBup6u5NTiq4Z5FVUQvFrL5P79J9IGr9ewiz+/DzyDK 2f2MA/6P9a3hoBauGdU+FBvSP4TMp75Ntho28IHyRIz2Zz3FHedAcuIPavO+AbHv EQ4ocAwQBX6fJvpYQwIm =I4n1 -END PGP SIGNATURE- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 11, 2010, at 4:06 PM, Tom Stordy-Allison wrote: Hi, This is exactly what I've just joined this mailing list about. Has anyone has any luck getting Amazon to stop the instances? I'm stuck with around 700Kbps of my 2.5Mbps inbound in use as my firewall blocks the requests as below. Cheers, Tom I can't even get them to acknowledge my complaints. ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Sun, 11 Apr 2010, Mark Smith wrote: Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. Would this work if using Shorewall? What would a sane ruleset for Shorewall look like that implements some sort of rate limiting features? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Being attacked by an Amazon EC2 ...
Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Its a good idea tos setup Fail2ban, instructions for which are on voip-info.org. It at least blocks such IP addresses, hopefully prompting the attackers to move their attack somewhere else and leave you alone. Another good idea is to lookup in whois database this IP address and see if you can find contact info for the person responsible for this IP address. Then contact them and let them know about this incident. You can also try to ask your ISP if they can block it on their end. Zeeshan A Zakaria -- Sent from my Android phone with K-9 Mail. On 2010-04-10 5:39 PM, Gordon Henderson gordon+aster...@drogon.netgordon%2baster...@drogon.net wrote: Just a heads-up ... my home asterisk server is being flooded by someone from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - they're trying to send SIP subscribes to one account - and they're flooding the requests in - it's averaging some 600Kbits/sec of incoming UDP data or about 200 a second )-: This is much worse than anything else I've seen. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
