Seeking Amazon EC2 abuse contact

Mark Scholten mark at streamservice.nl
Mon Apr 12 08:39:26 CDT 2010


Hello Erik,

Do you care to share the IP address? So everyone could update their
firewalls to block the attacks? Even only blocking known SIP ports (5060)
could be a good idea.

With kind regards,

Mark Scholten

> -----Original Message-----
> From: Erik L [mailto:erik_list at caneris.com]
> Sent: Monday, April 12, 2010 3:05 PM
> To: Michael J McCafferty
> Cc: nanog at nanog.org
> Subject: RE: Seeking Amazon EC2 abuse contact
> 
> Michael,
> 
> I've received numerous off-list responses yesterday. Most of them were
> asking if I've made contact with anyone there as they were being
> attacked as well. One gentleman who works at AWS (but not EC2 abuse)
> promised to forward my e-mail to them. I've also been reading the
> asterisk-users list where many have reported attacks from Amazon EC2 as
> well over the past few days.
> 
> At one point we were seeing 197 SIP brute force attempts per second
> against a customer's box. The intensity in terms of bandwidth is low,
> but if you do the math, you can see that this isn't the point.
> 
> This morning I received an e-mail from Amazon which was basically the
> same as the one you received. The attack is still on-going and I've
> still not made contact with a human at Amazon.
> 
> Erik
> 
> 
> 
> > -----Original Message-----
> > From: Michael J McCafferty [mailto:mike at m5computersecurity.com]
> > Sent: April 12, 2010 05:16
> > To: Erik L
> > Cc: nanog at nanog.org
> > Subject: Re: Seeking Amazon EC2 abuse contact
> >
> > Erik,
> > 	We have several customers being attacked from the same
> > EC2 instance on
> > their network for 2 full days now. Contacted them at
> > ec2-abuse at amazon.com  and 25 hours later received a message that
> > basically said, "Yep, we can confirm that a customer of ours is
> > attacking you but that's their fault. We sometimes do stuff,
> > but not in
> > this case. Please don't block us, because the IP might be someone
> else
> > later. Have a nice day".
> > 	The telephone number in the WHOIS record goes to a
> > general voicemail
> > box for their legal department.
> > 	A few of our customers who are being attacked by this
> > same instance at
> > EC2 have also contacted Amazon, and were told essentially the same
> > thing.
> > 	While I appreciate that they sent a response, I do not
> > appreciate it's
> > uselessness.
> > 	Anyone over there at AWS that can do something willing
> > to reply to me
> > directly?
> >
> > Thanks!
> > Mike
> >
> >
> > On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> > > Could someone from Amazon EC2 please contact me off-list
> > regarding an abuse issue from one of their IPs?
> > Alternatively, could someone please send me the contact
> > details of someone there?
> > >
> > > E-mailing the abuse e-mail listed in WHOIS per their
> > instructions, including all pertinent data, results in an
> > auto-reply indicating to use a form on their site. Submitting
> > the form results in "There has been an error while submitting
> > your data. Please try again later." Calling their supposed
> > NOC (as per WHOIS) results in "You have reached the legal
> > department at Amazon...please leave a message".
> > >
> > > Thanks
> > >
> > --
> > ************************************************************
> > Michael J. McCafferty
> > Principal
> > M5 Hosting
> > http://www.m5hosting.com
> >
> > You can have your own custom Dedicated Server up and running today !
> > RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
> > ************************************************************
> >
> >





More information about the NANOG mailing list