asterisk users - Apr 2010 - Being attacked by an Amazon EC2 ...

Just a "heads-up" ... my home asterisk server is being flooded by
someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - 
they're trying to send SIP subscribes to one account - and they're 
flooding the requests in - it's averaging some 600Kbits/sec of incoming 
UDP data or about 200 a second )-:

This is much worse than anything else I've seen.

Gordon

Its a good idea tos setup Fail2ban, instructions for which are on
voip-info.org. It at least blocks such IP addresses, hopefully prompting the
attackers to move their attack somewhere else and leave you alone.

Another good idea is to lookup in whois database this IP address and see if
you can find contact info for the person responsible for this IP address.
Then contact them and let them know about this incident.

You can also try to ask your ISP if they can block it on their end.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-10 5:39 PM, "Gordon Henderson"
<gordon+asterisk at drogon.net<gordon%2Basterisk at drogon.net>>
wrote:


Just a "heads-up" ... my home asterisk server is being flooded by
someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
they're trying to send SIP subscribes to one account - and they're
flooding the requests in - it's averaging some 600Kbits/sec of incoming
UDP data or about 200 a second )-:

This is much worse than anything else I've seen.

Gordon

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100410/c7825440/attachment.htm

On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
<gordon+asterisk at drogon.net> wrote:
>
>Just a "heads-up" ... my home asterisk server is being flooded by
someone
>from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - 
>they're trying to send SIP subscribes to one account - and they're 
>flooding the requests in - it's averaging some 600Kbits/sec of incoming 
>UDP data or about 200 a second )-:
>
>This is much worse than anything else I've seen.

Same her but 184.73.17.122.
Look what they did to my latency, Gordon:-
http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png

I've had bookmarks to Fail2Ban links on my desktop for a year now.
Guess I'll have to do something about it.

If, hypothetically, I'd put that IP into hosts.deny - would it have
stopped them?

Gordon Henderson a ?crit :
> Just a "heads-up" ... my home asterisk server is being flooded by
someone
> from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it - 
> they're trying to send SIP subscribes to one account - and they're 
> flooding the requests in - it's averaging some 600Kbits/sec of incoming
> UDP data or about 200 a second )-:
>
> This is much worse than anything else I've seen.
>   
List of Amazon IP's from which we already have been attacked on several 
of our servers in Europe (blocked with Fail2Ban):

75.101.195.70
79.125.30.56
184.72.6.92
184.73.70.8
184.73.21.31
184.73.16.184
204.236.169.224

We also faced attack from China, Germany, Romania, Israel and Palestine
-- 
Daniel

My experience is that as long as the hackers are getting any kind of
response from your server, they'll keep their attack on, in a hope that
they'll get into your system sooner or later. After all it is just some
computers doing the work for them, no human is phycally getting tired here.
This is why when you block them in your iptables, and they stop getting
response from your end, i.e. no ping reply, no sip response, nothing
basically, then they eventually take their attack somewhere else probably
because they (or their hack attempt software) either assume that the ip they
were attacking is no longer valid for the attack or the user has taken
enough security measures that attacking him is not worth the effort.

On the contrary, my experience, if you don't block them, eventually attacks
increase. Probably they let their other hacker friends know too that your
server is a good candidate for hack attempt.

Obvoiously its only the ISPs who can truly stop such attacks by blocking
them at their routers. If the hackers decide to keep bugging you,
unfortunately nothing can you do to protect your bandwdith waste.

But I wonder if one's router doesn't respond back, e.g. it is physically
off, and someone is doing such an attack, do the ISPs still consider it
bandwidth usage?

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-11 7:41 AM, "Gordon Henderson"
<gordon+asterisk at drogon.net<gordon%2Basterisk at drogon.net>>
wrote:

On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote:
> In the end I set up OSSEC (http://www.ossec.net) and wr...
Cheers - but it's not blocking that's the real issue, that's trivial
in my
router or on the PBX, it's that my monthly ADSL data cap is being used up
and my ISP is not responding (actually, they might if I phone them, but
it's not desperate right now as I'm unlimited at the weekend), and
neither
is Amazon.

My currently monthly peak-time cap is 45GB - 8am to 8pm and they seem to
be eating up some 7-10GB a day... So I might actually be OK and can just
"weather it out", but it's still annoying.

I'm tempted to just block all of Amazons EC2 and say to hell with them.
Shouldn't be too hard to track them down - eg. from whois on that IP:

NetRange:   72.44.32.0 - 72.44.63.255
CIDR:       72.44.32.0/19
NetName:    AMAZON-EC2-2

NetRange:   75.101.128.0 - 75.101.255.255
CIDR:       75.101.128.0/17
NetName:    AMAZON-EC2-4

NetRange:   67.202.0.0 - 67.202.63.255
CIDR:       67.202.0.0/18
NetName:    AMAZON-EC2-3

NetRange:   174.129.0.0 - 174.129.255.255
CIDR:       174.129.0.0/16
NetName:    AMAZON-EC2-5

NetRange:   204.236.128.0 - 204.236.255.255
CIDR:       204.236.128.0/17
NetName:    AMAZON-EC2-6

NetRange:   184.72.0.0 - 184.73.255.255
CIDR:       184.72.0.0/15
NetName:    AMAZON-EC2-7

(so much for running out of ipv4 address space when amazon has millions)

And there are well knowing published lists from all chinese hosts, etc.
too. Easy enough too cook up iptables to allow data from sites I connect
out to, but block all incoming new connections.

Gordon


-- 
_____________________________________________________________________
-- Bandwidth and Colocati...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100411/e11e1845/attachment.htm

>Its a good idea tos setup Fail2ban, instructions for which are on 
>voip-info.org. It at least blocks such IP addresses, hopefully prompting the
>attackers to move their >attack somewhere else and leave you alone.
I personally use Fail2ban, it works but wont keep you from flooding your line. 
My last attacker kept trying for 3 days....
>Another good idea is to lookup in whois database this IP address and see if
you
>can find contact info for the person responsible for this IP address. Then 
>contact them >and let them know about this incident.
>You can also try to ask your ISP if they can block it on their end.
Fail2ban can send you a Whois info about every blocked IP. Im just not sure if 
any kind of reporting will help :-(
>Zeeshan A Zakaria
Martin L

I always report at least. This is still better than not bringing it to their
attention. I once worked in the NOC of a big data centre of a major ISP, and
we often get calls regarding IPs from our data centers involved in spams and
hacks, but unless there were a number of complaints, nobody had time or
resources to dedicate them on verifying the validity of individual
complaints and take some action.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-11 1:41 PM, "Martin" <ra25 at atlas.cz> wrote:
>Its a good idea tos setup Fail2ban, instructions for which are on
>voip-info.org. It at least bloc...
I personally use Fail2ban, it works but wont keep you from flooding your
line.
My last attacker kept trying for 3 days....

>Another good idea is to lookup in whois database this IP address and see if
you
>can find contact...
Fail2ban can send you a Whois info about every blocked IP. Im just not sure
if
any kind of reporting will help :-(
>Zeeshan A Zakaria
Martin L


--

_____________________________________________________________________
-- Bandwidth and Colocation Pr...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100411/73c7242d/attachment.htm

I got the same generic response, asking me to submit the same info which I
had already submitted. This clearly show they are not interested in tracing
"just another" hacker on their cloud.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-12 9:24 AM, "Fred Posner" <fred at teamforrest.com>
wrote:


On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
>>
>
> Perhaps if there was a Asterisk RBL we ...
I love the idea of a RBL... count me in for contributing.

Especially considering the ridiculous response I received from Amazon.
(Basically told me to submit host, destination, port, proto, and log...
which of course was already included in the original complaint)

---fred
http://qxork.com



-- 
_____________________________________________________________________
-- Bandwidth and Colocat...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100412/f6ec465f/attachment.htm

If RBL or something is practical, I'm in too. But at what level these
hackers will be blocked? Unless some big ISPs cooprate, it is not much of
use.

Zeeshan A Zakaria

--
Sent from my Android phone with K-9 Mail.

On 2010-04-12 9:24 AM, "Fred Posner" <fred at teamforrest.com>
wrote:


On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
>>
>
> Perhaps if there was a Asterisk RBL we ...
I love the idea of a RBL... count me in for contributing.

Especially considering the ridiculous response I received from Amazon.
(Basically told me to submit host, destination, port, proto, and log...
which of course was already included in the original complaint)

---fred
http://qxork.com



-- 
_____________________________________________________________________
-- Bandwidth and Colocat...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100412/33c5b4c6/attachment.htm

On Apr 12, 2010, at 8:17 AM, Fred Posner wrote:
> On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
> 
>>> 
>> 
>> Perhaps if there was a Asterisk RBL we could all contribute to; for
which we could then hook into and drop any connection where a source IP is
listed ?
>> -- 
>> Thanks, Phil
>> 
> 
> I love the idea of a RBL... count me in for contributing.
I would contribute to this as well.

Chris

-------------------------------------------------------------------------
Chris Owen         - Garden City (620) 275-1900 -  Lottery (noun):
President          - Wichita     (316) 858-3000 -    A stupidity tax
Hubris Communications Inc      www.hubris.net
-------------------------------------------------------------------------

On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing
wrote:
> Hi!
> 
> > Any aditional security within * is fine, but if someone is simply
> > drowning your bandwith, action must be taken at a lower level.
> > Otherwise you endup re-inventing the wheel for D.o.s. attackes for
voip,
> > mail, ssh, ldap, http, rsync, (or any other service you might be
running)
> 
> However, I *still* think Asterisk should provide a "delayreject"
option
> in sip.conf to greatly slow down answering request avanlanches. That will 
> help to address the bandwidth issue if the attacker is configured to wait 
> for a response before starting the next request.
> 
> Apart from that here are the most important messages: Use strong 
> passwords in sip.conf, and use keys in iax.conf, and avoid usernames that 
> can be guessed too easily (numbers from 100 to 9999 and first names).
> 
Agreed, best would be to only use ssl-certificates for authentication,
but not all parts involved support that, (to put it mildly...)

hw