On April 18th Amazon finally responded publicly with respect to the SIP attacks recently suffered from hosts within their EC2 service. Their response comes in the form of an informational security bulletin posted to their AWS Security Center.
There have been some recent discussions about SIP brute force attacks originating from Amazon EC2. We can confirm that several users reported SIP brute force attacks originating from a small number of Amazon EC2 instances about a week ago. It appears these attacks were designed to exploit security vulnerabilities in the SIP protocol. There is nothing specific about this attack that requires Amazon EC2. It was a brute force attack that could be launched from any computer on any network.
The behavior of these instances clearly violated our terms of usage. We responded to the abuse reports according to our normal abuse reporting procedures and shut down the abusive account when we were able to confirm the abusive behavior. We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down. Our terms of usage are clear and we continually monitor and work to make sure the services aren’t used for illegal activity. It’s important to note that we take the privacy of our customers very seriously, and don’t inspect the contents of instances. This is part of the reason that legitimate customers of all types are comfortable running production applications on Amazon EC2. However, when abuse is detected, we are able to act swiftly to isolate the abusive behavior.
We are looking closely at this event to determine how we can respond better in the future. First, we have made modifications to our abuse detection protocols so we can more quickly and identify SIP based abuse in the future. We are also engaging significant SIP providers to open up communication channels so we can quickly respond to any significant SIP abuse that is not detected in the future. Finally, we are working on making modifications to our abuse reporting mechanisms to better assure we respond promptly in situations like these.
They are correct in that there was nothing special about the attack itself. That is, nothing unique that required the use of EC2. However, the very scalability of EC2 that is heralded as magnificent for business also makes it an ideal platform from which to launch large scale attacks of any kind.
I remain disappointed at their claim of action when contrast against Fred’s actual experience. They were unacceptably slow to respond, and remarkably opaque about the matter.
Further, their direct contact with Fred was solely by way of their PR department. That just about perfectly frames up their understanding of the issue; a public relations matter.
Security is more than a public relations issue!
If I were subject to such an attack, and met with this kind of response from the company hosting the attack I would immediately report it to the FBI Cyber Crimes Unit.
Perhaps such attention might help compel the host to move more swiftly in addressing the matter. Perhaps it might even get elevated beyond the public relations department.