[125302] in North American Network Operators' Group
RE: Seeking Amazon EC2 abuse contact
daemon@ATHENA.MIT.EDU (Erik L)
Mon Apr 12 09:05:35 2010
From: Erik L <erik_list@caneris.com>
To: Michael J McCafferty <mike@m5computersecurity.com>
Date: Mon, 12 Apr 2010 09:05:09 -0400
In-Reply-To: <1271063763.6107.3179.camel@mike-desktop>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Michael,
I've received numerous off-list responses yesterday. Most of them were aski=
ng if I've made contact with anyone there as they were being attacked as we=
ll. One gentleman who works at AWS (but not EC2 abuse) promised to forward =
my e-mail to them. I've also been reading the asterisk-users list where man=
y have reported attacks from Amazon EC2 as well over the past few days.
At one point we were seeing 197 SIP brute force attempts per second against=
a customer's box. The intensity in terms of bandwidth is low, but if you d=
o the math, you can see that this isn't the point.
This morning I received an e-mail from Amazon which was basically the same =
as the one you received. The attack is still on-going and I've still not ma=
de contact with a human at Amazon.
Erik
> -----Original Message-----
> From: Michael J McCafferty [mailto:mike@m5computersecurity.com]=20
> Sent: April 12, 2010 05:16
> To: Erik L
> Cc: nanog@nanog.org
> Subject: Re: Seeking Amazon EC2 abuse contact
>=20
> Erik,
> We have several customers being attacked from the same=20
> EC2 instance on
> their network for 2 full days now. Contacted them at
> ec2-abuse@amazon.com and 25 hours later received a message that
> basically said, "Yep, we can confirm that a customer of ours is
> attacking you but that's their fault. We sometimes do stuff,=20
> but not in
> this case. Please don't block us, because the IP might be someone else
> later. Have a nice day".
> The telephone number in the WHOIS record goes to a=20
> general voicemail
> box for their legal department.
> A few of our customers who are being attacked by this=20
> same instance at
> EC2 have also contacted Amazon, and were told essentially the same
> thing.
> While I appreciate that they sent a response, I do not=20
> appreciate it's
> uselessness.
> Anyone over there at AWS that can do something willing=20
> to reply to me
> directly?
>=20
> Thanks!
> Mike
>=20
>=20
> On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> > Could someone from Amazon EC2 please contact me off-list=20
> regarding an abuse issue from one of their IPs?=20
> Alternatively, could someone please send me the contact=20
> details of someone there?
> >=20
> > E-mailing the abuse e-mail listed in WHOIS per their=20
> instructions, including all pertinent data, results in an=20
> auto-reply indicating to use a form on their site. Submitting=20
> the form results in "There has been an error while submitting=20
> your data. Please try again later." Calling their supposed=20
> NOC (as per WHOIS) results in "You have reached the legal=20
> department at Amazon...please leave a message".
> >=20
> > Thanks
> >=20
> --=20
> ************************************************************
> Michael J. McCafferty
> Principal
> M5 Hosting
> http://www.m5hosting.com
>=20
> You can have your own custom Dedicated Server up and running today !
> RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
> ************************************************************
>=20
> =
