Hello Erik,

Do you care to share the IP address? So everyone could update their
firewalls to block the attacks? Even only blocking known SIP ports (5060)
could be a good idea.

With kind regards,

Mark Scholten

> -----Original Message-----
> From: Erik L [mailto:erik_l...@caneris.com]
> Sent: Monday, April 12, 2010 3:05 PM
> To: Michael J McCafferty
> Cc: nanog@nanog.org
> Subject: RE: Seeking Amazon EC2 abuse contact
> 
> Michael,
> 
> I've received numerous off-list responses yesterday. Most of them were
> asking if I've made contact with anyone there as they were being
> attacked as well. One gentleman who works at AWS (but not EC2 abuse)
> promised to forward my e-mail to them. I've also been reading the
> asterisk-users list where many have reported attacks from Amazon EC2 as
> well over the past few days.
> 
> At one point we were seeing 197 SIP brute force attempts per second
> against a customer's box. The intensity in terms of bandwidth is low,
> but if you do the math, you can see that this isn't the point.
> 
> This morning I received an e-mail from Amazon which was basically the
> same as the one you received. The attack is still on-going and I've
> still not made contact with a human at Amazon.
> 
> Erik
> 
> 
> 
> > -----Original Message-----
> > From: Michael J McCafferty [mailto:m...@m5computersecurity.com]
> > Sent: April 12, 2010 05:16
> > To: Erik L
> > Cc: nanog@nanog.org
> > Subject: Re: Seeking Amazon EC2 abuse contact
> >
> > Erik,
> >     We have several customers being attacked from the same
> > EC2 instance on
> > their network for 2 full days now. Contacted them at
> > ec2-ab...@amazon.com  and 25 hours later received a message that
> > basically said, "Yep, we can confirm that a customer of ours is
> > attacking you but that's their fault. We sometimes do stuff,
> > but not in
> > this case. Please don't block us, because the IP might be someone
> else
> > later. Have a nice day".
> >     The telephone number in the WHOIS record goes to a
> > general voicemail
> > box for their legal department.
> >     A few of our customers who are being attacked by this
> > same instance at
> > EC2 have also contacted Amazon, and were told essentially the same
> > thing.
> >     While I appreciate that they sent a response, I do not
> > appreciate it's
> > uselessness.
> >     Anyone over there at AWS that can do something willing
> > to reply to me
> > directly?
> >
> > Thanks!
> > Mike
> >
> >
> > On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> > > Could someone from Amazon EC2 please contact me off-list
> > regarding an abuse issue from one of their IPs?
> > Alternatively, could someone please send me the contact
> > details of someone there?
> > >
> > > E-mailing the abuse e-mail listed in WHOIS per their
> > instructions, including all pertinent data, results in an
> > auto-reply indicating to use a form on their site. Submitting
> > the form results in "There has been an error while submitting
> > your data. Please try again later." Calling their supposed
> > NOC (as per WHOIS) results in "You have reached the legal
> > department at Amazon...please leave a message".
> > >
> > > Thanks
> > >
> > --
> > ************************************************************
> > Michael J. McCafferty
> > Principal
> > M5 Hosting
> > http://www.m5hosting.com
> >
> > You can have your own custom Dedicated Server up and running today !
> > RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
> > ************************************************************
> >
> >


Reply via email to