The Dark Side of the Cloud
A major SIP attack launched from Amazon's EC2 cloud raises questions about cloud security.
The Amazon Elastic Compute Cloud (EC2) service is a poster child of the cloud revolution. Making massively scalable resources available without significant capital investment is a revolutionary concept that's ideal for bursty businesses such as Intuit's TurboTax. Telephony related firms such as Twilio and Ribbit rely on Amazon's services to instantly expand as their customers and projects require.
EC2 is a web infrastructure service that provides instant application-ready infrastructure that charges by usage instead of capacity. According to the EC2 website, "Amazon EC2 reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change."
The elasticity and scalability associated with EC2 were unheard of just a few years ago, and are still astounding. But what happens when those resources are used for evil instead of good?
Last week, a major SIP attack was launched from the EC2 cloud. It was a brute force attack that searched for open SIP ports in order to unrelentingly pound on phone systems searching for valid credentials.
Brute force attacks such as these are not uncommon--and sometimes are actually intended or act as a denial of service attack (DoS). But this is the era of the cloud, and "massively scalable" applies to attacks as well. One blogger reported the attack was on track to consume 6-10 GBs of traffic in one day on his WAN.
What Happened
Amazon Web Services (AWS) offers what's known as Infrastructure as a Service (IaaS) and is just one form of cloud computing. Though AWS is rather small in Amazon's portfolio, it is experiencing rapid growth and could conceivably overtake its e-commerce business in the future. Amazon's IaaS offering includes highly scalable virtual servers, storage, and networking services available on-demand without a contract and charged with a pay-as-you-use model. It allows organizations (and individuals) to develop core applications and capabilities without having to build, fund, and manage the capital equipment and physical aspects of a data center. Numerous success stories exist. Consider Netflix, which is experiencing a major shift in business model from physical DVD rental to real-time video streaming. Neflix selected Amazon's EC2 service for infrastructure rather than build-out a data center.
Last week, a number of telecom administrators noticed a major attack on their systems. Administrators started discussing over Twitter and VoIP groups a development that was to become a three-day attack. The widespread assault was coming from Amazon EC2 at an amazing rate.
SIP attacks are not new, but it is clear that cloud technology brings a new level of capability, capacity, and anonymity to the security problem. All it takes to unlock Internet services capable of mass destruction is a credit card.
It appears the intent of the attack was only to scan for valid SIP credentials. A valid SIP registration can be sold, used for toll-fraud, used to masquerade as the victim, or as a means to bypass surveillance such as wiretapping.
There was no indication the attack specifically targeted particular users or phone systems--rather it likely hit Internet sites scanning for UDP access on port 5060. Asterisk systems log such attempts visibly, and the Asterisk community of users reached out to each other. In particular, administrators Fred Posner and Stuart Sheldon independently blogged their observations and reported the matter to Amazon. Posner blogged: "The [brute force attack] complaints mentioned this weekend show an excessive amount of traffic; with some providers claiming 6GB of traffic dedicated to such attacks. Since we ourselves received an attack from an Amazon hosted server, we also reported and complained to the Amazon NOC/Abuse depts."
