When Amazon Cloud Servers Attack
Amazon boast a secured server layer with elastic IP support. They also claims that your AWS clouds are being actively protected from network intrusions from outside sources. While this sounds good, they do lack one simple thing.. Fast actions when when Amazon cloud servers attack you on your doorstep.
For 4 months I was constantly being attacked from Amazon but reporting an incident requires a lot of wait time, filling up forms, sending emails which will request you to fill up a form again. The countless time of doing this over and over again slowly becomes frustrating. On one instance I was requested to prove that I am not doing any kind of penetration testing with the AWS cloud and ask me to file a form with pen-testing at penetration testing request form.
Our Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing and other simulated events are frequently indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans to or originating from the AWS environment
The line above prevents complain reports from third party server owners when they are on the receiving end of AWS brute force and DDOS attempts. You need to prove that the attacks was not self initiated which is kind of odd, why would you purchase a server in Amazon to attack your existing servers?
Digging further on brute force attempts and DDOS from the AWS cloud, I found a ton of related complaints with almost no resolution on the side of Amazon.. Some was forced to migrate to Amazon since then, only Amazon acts accordingly and terminate the offending instance.
Here are a few example reports..
- infoworld.com – Attack from Amazon AWS
- stuartsheldon.org – Brute force attempts from AWS
- jcs.org – SIP flood from Amazon AWS
There are more reports on BBS system (yeah they are very old), forums, mailing list and enthusiast website rings. I notice one common pattern, Amazon responds to reports coming from firstname.lastname@example.org send directly to Amazons ec2-abuse@ email.
The common user accounts they are scanning are the following:
- root (Oracle and SSH)
The port numbers are random but they mostly start with 4 digit port numbers including the common port numbers for Oracle, Post-fix, SSH, MySQL, Squid and Dovecot. Our attacker from Amazon is seriously targeting access with specific services.
As of today, Amazon have claimed that they have already done actions versus the attacking Instances and not the generic “we will inform the attacking/involved instance”.
As a good rule of thumb, secure your servers using fail2ban, IP tables, CSF/LSF and mod_security. Selinux may also aid you.