Comments on: Amazon EC2 SIP Brute Force Attacks on Rise

By: Explaining SIP Brute Force Attacks to non-techs | TEAM FORREST Blog

Explaining SIP Brute Force Attacks to non-techs | TEAM FORREST Blog — Fri, 11 Mar 2011 04:48:30 +0000

[...] a SIP Brute Force attack on their elastix system. Besides the shock of a call from the feds (why did they ignore those Amazon attacks?), the realization of explaining a sip attack to someone not familiar with SIP, telephony, [...]

By: protección y contramedidas en asterisk « sergi @ nucli.org

protección y contramedidas en asterisk « sergi @ nucli.org — Mon, 11 Oct 2010 12:54:22 +0000

[...] administrador de servidores SIP puede observar con relativa asiduidad ataques de fuerza bruta, como los que recientemente venían de instancias EC2 de Amazon (tuve la suerte o desgracia de presenciar uno de ellos, sin mas molestia que una interrupción de [...]

By: VK

VK — Mon, 23 Aug 2010 22:23:24 +0000

I’m currently being deluged by SIP register packets from an host apparently hosted by gogrid.com, so no doubt the cloud providers are going to repeat all the mistakes of the ISPs and email providers in hosting and facilitating malicious customers.

By: Sam Hunt

Sam Hunt — Tue, 03 Aug 2010 22:25:33 +0000

News Update: Amazon EC2 SIP Brute Force Attacks on Rise | VoIP Tech Chat http://ow.ly/18pHxv

By: Joe Devon

Joe Devon — Sat, 19 Jun 2010 23:37:48 +0000

This is a bit of concern about Amazon cloud services (by @fredposner): http://bit.ly/bhyW5x

By: SIP Attacks From Amazon EC2 Cloud Continue | VoIP Tech Chat

SIP Attacks From Amazon EC2 Cloud Continue | VoIP Tech Chat — Sun, 16 May 2010 22:11:09 +0000

[...] over a month ago, we reported that SIP attacks from the Amazon EC2 cloud were on the rise. While the attacks we received last month were limited to “extension only” registration [...]

By: Rick

Rick — Sat, 15 May 2010 20:04:28 +0000

Fred -

Well as of this morning, I can confirm that attacks from Amazon continue. We saw a compromise of an extension that originated from EC-2 (79.125.71.218). The successful authentication to the system was at 10:58am EST on 5/15/10.

What is interesting is that this system was not used to make any calls – instead they originated from another IP, based out of Germany. This other IP (91.194.85.241) also appeared to be brute forcing as the client was ‘friendly scanner’, which is sipvicious from what I can see.

We reported both to the related abuse contacts, but like other submissions, I don’t expect a lot of response.

I hope that Amazon is actively working on these – I recognize the challenge they have given the number of systems they manage. But active cooperation and protactive monitoring for abnormal traffic seem to be an obvious necessity if one is to run a system like they do.

By: Avery

Avery — Fri, 14 May 2010 02:59:25 +0000

Fred you have done a good job on trying to track down answers. It really surprises me when people pull stuff out of no where to try and derail your progress.

You never said anything about asking about accounts, that was just yanked out of the depths of.. well you know Matt…

Also, Segedunum sounds like some Amazon employee trying to protect their interest. I’m not saying directly he/she is but come on read your own comments, nearly everything you said was pulled out of no where and not even one thing was accurate.

If you are going to attack what Fred is doing, at least get the facts right. Otherwise you look like a douchebag.

Keep up the good work Fred.

By: Tweets that mention Amazon EC2 SIP Brute Force Attacks on Rise -- Topsy.com

Tweets that mention Amazon EC2 SIP Brute Force Attacks on Rise -- Topsy.com — Thu, 29 Apr 2010 01:18:34 +0000

[...] This post was mentioned on Twitter by WW Ben Franklin Do?. WW Ben Franklin Do? said: RT @fredposner: Amazon EC2 SIP Brute Force Attacks on Rise http://bit.ly/bWw1VQ [...]

By: Amazon EC2 #fails to Investigate Attacks | VoIP Users Conference

Amazon EC2 #fails to Investigate Attacks | VoIP Users Conference — Sat, 24 Apr 2010 08:07:09 +0000

[...] Amazon EC2 attacks: just a PR damage control post or two, no real action. [...]