Linux Today: Linux News On Internet Time.

SIP Brute Force Attack Originating From Amazon EC2 Hosts (Amazon unresponsive)

Apr 12, 2010, 16:34 (0 Talkback[s])
(Other stories by Stuart Sheldon)

"I woke up Saturday morning to find strangely high network activity on some of our inbound connections. After a quick review, it turned out that most of the traffic was going into several of our hosted PBX systems. After a little more digging, I discovered that several systems on the Amazon EC2 network were preforming brute force attacks, against our VoIP servers. They were attempting to guess user names and passwords for our SIP clients. I immediately blocked all traffic from the attacking IPs and examined the logs. Thankfully, I found that non of the attacks had succeeded in guessing passwords.

"Confident that the immediate threat was dealt with, I shot off a complaint to ec2-abuse@amazon.com listing the IP addresses and some log snapshots for validation. I fully expected to see the attack traffic disappear from our edge as soon as Amazon got the report. Boy, was I wrong..."

Complete Story

Related Stories: