Tag Archives: attack

SIP Abuse from Amazon EC2

Ok, so I’ve been slacking again. Actually, I’ve been busy. Recently our VOIP server was receiving a SIP registration attack. the source IP was one from Amazons EC2 Network. having blocked them on the firewall at my end-point, the attack continued to try and send data to my system. I followed protocol, and sent an Abuse report to Amazon EC2. The abuse report contained a graph of the on-going data, seen here:


It also contained a cut-down of the logs, showing which IP from their network was attacking our system and an explanation of what was happening. This was also CC’d to my ISP, I don’t normally CC them in on abuse reports, as when sending them for SSH attacks there’s alot of them, however, this isn’t the first time it’s happened from the Amazon network, and the data usage was incredibly large. and persisted even after blocking on the firewall. Fortunately for me, My ISP (Andrews and Arnold) give me a lot of control over my lines, including routing tables specific to IP’s that I have allocated and in this instance it took un-routing the subnet from my lines before the traffic stopped (though, according to someone at my ISP, the attack continued for some hours after un-routing the subnet).

Anyway, I received a response from Amazon today, they quoted the IP Address of my server that the attack was going to and had this to say:

Thank you for submitting your abuse report. There was no single customer using the source IP address(es) during the time you provided. This may be due to the fact that we do not own the IP address(es), the time or time zone you provided was incorrect, or there were multiple customers with instances running during the time and IP address(es) you specified. You may try re-submitting your report with a different time if you wish.

What that reads to me is “I didn’t actually look that closely to the logs and ignored most of the information that told me the time-zone in which your network is using, I also don’t know how to read logs, and assumed the IP address was a different one from what you had quoted” I have responded, telling them of their mistake. I have told them again which time-zone the logs are in, and I have told them again which IP Address they should be looking at in the logs. Today, the entire Amazon EC2 network has blocked access to my VOIP Server. What this means is that if there is anyone using Amazon EC2 legitimately for a VOIP server, they can not directly call our numbers.  I doubt this actually happens very often anyway but the least I expect from a company like Amazon when sending in an abuse report is that they actually give it to someone that has more than a single brain cell and doesn’t know what a computer is.

We’ll see what happens with this, but I’m not hopeful, and will never recommend Amazons EC2 service to anyone.