Hello Erik, Do you care to share the IP address? So everyone could update their firewalls to block the attacks? Even only blocking known SIP ports (5060) could be a good idea.
With kind regards, Mark Scholten > -----Original Message----- > From: Erik L [mailto:erik_l...@caneris.com] > Sent: Monday, April 12, 2010 3:05 PM > To: Michael J McCafferty > Cc: nanog@nanog.org > Subject: RE: Seeking Amazon EC2 abuse contact > > Michael, > > I've received numerous off-list responses yesterday. Most of them were > asking if I've made contact with anyone there as they were being > attacked as well. One gentleman who works at AWS (but not EC2 abuse) > promised to forward my e-mail to them. I've also been reading the > asterisk-users list where many have reported attacks from Amazon EC2 as > well over the past few days. > > At one point we were seeing 197 SIP brute force attempts per second > against a customer's box. The intensity in terms of bandwidth is low, > but if you do the math, you can see that this isn't the point. > > This morning I received an e-mail from Amazon which was basically the > same as the one you received. The attack is still on-going and I've > still not made contact with a human at Amazon. > > Erik > > > > > -----Original Message----- > > From: Michael J McCafferty [mailto:m...@m5computersecurity.com] > > Sent: April 12, 2010 05:16 > > To: Erik L > > Cc: nanog@nanog.org > > Subject: Re: Seeking Amazon EC2 abuse contact > > > > Erik, > > We have several customers being attacked from the same > > EC2 instance on > > their network for 2 full days now. Contacted them at > > ec2-ab...@amazon.com and 25 hours later received a message that > > basically said, "Yep, we can confirm that a customer of ours is > > attacking you but that's their fault. We sometimes do stuff, > > but not in > > this case. Please don't block us, because the IP might be someone > else > > later. Have a nice day". > > The telephone number in the WHOIS record goes to a > > general voicemail > > box for their legal department. > > A few of our customers who are being attacked by this > > same instance at > > EC2 have also contacted Amazon, and were told essentially the same > > thing. > > While I appreciate that they sent a response, I do not > > appreciate it's > > uselessness. > > Anyone over there at AWS that can do something willing > > to reply to me > > directly? > > > > Thanks! > > Mike > > > > > > On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: > > > Could someone from Amazon EC2 please contact me off-list > > regarding an abuse issue from one of their IPs? > > Alternatively, could someone please send me the contact > > details of someone there? > > > > > > E-mailing the abuse e-mail listed in WHOIS per their > > instructions, including all pertinent data, results in an > > auto-reply indicating to use a form on their site. Submitting > > the form results in "There has been an error while submitting > > your data. Please try again later." Calling their supposed > > NOC (as per WHOIS) results in "You have reached the legal > > department at Amazon...please leave a message". > > > > > > Thanks > > > > > -- > > ************************************************************ > > Michael J. McCafferty > > Principal > > M5 Hosting > > http://www.m5hosting.com > > > > You can have your own custom Dedicated Server up and running today ! > > RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more > > ************************************************************ > > > >
