Amazon EC2 cloud hosts SIP attacks

David Heath
Wednesday, 19 May 2010 10:11

Business IT - Security

For many years, security researchers have pointed to Amazon's cloud service (EC2) as a viable host environment for wide-scale hacking attempts.  Viable now becomes definite.

VoIP security experts Patrick Goldberg and Fred Posner who also manage large-scale VoIP infrastructure environments are no strangers to external attacks.  Gone are the days of Captain Crunch and his telecommunications whistle, the modern-day attacker is after VoIP circuits across the Internet.

According to the two administrators, attacks from Amazon's EC2 cloud started increasing around a month ago and have now peaked with two immense attacks in the past few days.

According to Posner, "The first attack came from 204.236.245.101. In less than 60 seconds, this IP attempted more than 11,500 registrations against our server. Most of these were 4 digit extensions. The second attack came from 184.73.4.183. In less than 90 seconds, this IP attempted more than 21,000 registrations against our server; including what we think is a standard dictionary attack complete with root, postmaster, pixadmin, etc.

Goldberg and Posner despair of Amazon's ability to do anything about this after complaining via the abuse email address, "which results with Amazon either completely ignoring you or sending a delayed response asking for the exact information you have already sent (and then ignoring you)."

Following the initial publication of their 'rant,' the VoIP administrators received a response from Amazon which could be regarded at best as laughable:

Thank you for submitting your abuse report.

We have completed an initial investigation of the issue and learned that the IP address you reported did indeed belong an Amazon EC2 instance. These intrusion attempts that you report were not, however, initiated by Amazon.

One of the biggest advantages of Amazon EC2 is that developers are given complete control of their instances. While the IPs may indicate that the network is Amazon's, our developer customers are the ones controlling the instances. You may learn more about EC2 at http://aws.amazon.com/ec2

That said, we do take reports of unauthorized network activity from our environment very seriously. It is specifically forbidden in our terms of use. We've already contacted the Amazon EC2 customer who controlled the instance in question and informed them that they are required to terminate their unauthorized interaction with your network, failing which we will terminate their instance. In cases of egregious abuse or as we otherwise deem appropriate, we will immediately terminate all their instances and suspend their account.

If you have blocked this address range, please be aware that usage on the address range is transient and new users may soon be operating from those addresses and may not be able to reach you; once you have confirmed that the activity has been ceased by our customer, you should open your filters to re-allow traffic.

Thanks again for alerting us to this issue.

Original report:

* Source IPs: 204.236.245.101
* Abuse Time: Sun May 16 08:53:00 UTC 2010
* NTP: Y

How can I send a message to the EC2 customer?
Complete and submit the web form here.

How can I contact a member of the Amazon EC2 abuse team?
Send an e-mail to This e-mail address is being protected from spambots. You need JavaScript enabled to view it to contact a member of the Amazon EC2 abuse team.

Please note: This e-mail message was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Amazon Web Services