Seeking Amazon EC2 abuse contact
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact details of someone there? E-mailing the abuse e-mail listed in WHOIS per their instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message". Thanks -- Erik Caneris Inc. Tel: 647-723-6365 Fax: 647-723-5365 Toll-free: 1-888-444-8843 www.caneris.com
Erik, We have several customers being attacked from the same EC2 instance on their network for 2 full days now. Contacted them at ec2-abuse@amazon.com and 25 hours later received a message that basically said, "Yep, we can confirm that a customer of ours is attacking you but that's their fault. We sometimes do stuff, but not in this case. Please don't block us, because the IP might be someone else later. Have a nice day". The telephone number in the WHOIS record goes to a general voicemail box for their legal department. A few of our customers who are being attacked by this same instance at EC2 have also contacted Amazon, and were told essentially the same thing. While I appreciate that they sent a response, I do not appreciate it's uselessness. Anyone over there at AWS that can do something willing to reply to me directly? Thanks! Mike On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact details of someone there?
E-mailing the abuse e-mail listed in WHOIS per their instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message".
Thanks
-- ************************************************************ Michael J. McCafferty Principal M5 Hosting http://www.m5hosting.com You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more ************************************************************
Michael, I've received numerous off-list responses yesterday. Most of them were asking if I've made contact with anyone there as they were being attacked as well. One gentleman who works at AWS (but not EC2 abuse) promised to forward my e-mail to them. I've also been reading the asterisk-users list where many have reported attacks from Amazon EC2 as well over the past few days. At one point we were seeing 197 SIP brute force attempts per second against a customer's box. The intensity in terms of bandwidth is low, but if you do the math, you can see that this isn't the point. This morning I received an e-mail from Amazon which was basically the same as the one you received. The attack is still on-going and I've still not made contact with a human at Amazon. Erik
-----Original Message----- From: Michael J McCafferty [mailto:mike@m5computersecurity.com] Sent: April 12, 2010 05:16 To: Erik L Cc: nanog@nanog.org Subject: Re: Seeking Amazon EC2 abuse contact
Erik, We have several customers being attacked from the same EC2 instance on their network for 2 full days now. Contacted them at ec2-abuse@amazon.com and 25 hours later received a message that basically said, "Yep, we can confirm that a customer of ours is attacking you but that's their fault. We sometimes do stuff, but not in this case. Please don't block us, because the IP might be someone else later. Have a nice day". The telephone number in the WHOIS record goes to a general voicemail box for their legal department. A few of our customers who are being attacked by this same instance at EC2 have also contacted Amazon, and were told essentially the same thing. While I appreciate that they sent a response, I do not appreciate it's uselessness. Anyone over there at AWS that can do something willing to reply to me directly?
Thanks! Mike
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact
On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: details of someone there?
E-mailing the abuse e-mail listed in WHOIS per their
instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message".
Thanks
-- ************************************************************ Michael J. McCafferty Principal M5 Hosting http://www.m5hosting.com
You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more ************************************************************
Hello Erik, Do you care to share the IP address? So everyone could update their firewalls to block the attacks? Even only blocking known SIP ports (5060) could be a good idea. With kind regards, Mark Scholten
-----Original Message----- From: Erik L [mailto:erik_list@caneris.com] Sent: Monday, April 12, 2010 3:05 PM To: Michael J McCafferty Cc: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact
Michael,
I've received numerous off-list responses yesterday. Most of them were asking if I've made contact with anyone there as they were being attacked as well. One gentleman who works at AWS (but not EC2 abuse) promised to forward my e-mail to them. I've also been reading the asterisk-users list where many have reported attacks from Amazon EC2 as well over the past few days.
At one point we were seeing 197 SIP brute force attempts per second against a customer's box. The intensity in terms of bandwidth is low, but if you do the math, you can see that this isn't the point.
This morning I received an e-mail from Amazon which was basically the same as the one you received. The attack is still on-going and I've still not made contact with a human at Amazon.
Erik
-----Original Message----- From: Michael J McCafferty [mailto:mike@m5computersecurity.com] Sent: April 12, 2010 05:16 To: Erik L Cc: nanog@nanog.org Subject: Re: Seeking Amazon EC2 abuse contact
Erik, We have several customers being attacked from the same EC2 instance on their network for 2 full days now. Contacted them at ec2-abuse@amazon.com and 25 hours later received a message that basically said, "Yep, we can confirm that a customer of ours is attacking you but that's their fault. We sometimes do stuff, but not in this case. Please don't block us, because the IP might be someone else later. Have a nice day". The telephone number in the WHOIS record goes to a general voicemail box for their legal department. A few of our customers who are being attacked by this same instance at EC2 have also contacted Amazon, and were told essentially the same thing. While I appreciate that they sent a response, I do not appreciate it's uselessness. Anyone over there at AWS that can do something willing to reply to me directly?
Thanks! Mike
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact
On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: details of someone there?
E-mailing the abuse e-mail listed in WHOIS per their
instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message".
Thanks
-- ************************************************************ Michael J. McCafferty Principal M5 Hosting http://www.m5hosting.com
You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more ************************************************************
On 4/12/2010 6:39 AM, Mark Scholten wrote:
Hello Erik,
Do you care to share the IP address? So everyone could update their firewalls to block the attacks? Even only blocking known SIP ports (5060) could be a good idea.
The easiest thing to do is to block all of EC2 and not worry about it.
With kind regards,
Mark Scholten
The person to formally put on notice now then is Amazon's general counsel Michelle Wilson about the damage their (her) policies and practices are causing when these types of attacks emanate out of their IP Space since they apparently have dealt in bad faith by placing bogus contact information therein. I assure you Michelle will react VERY quickly to being notified. http://people.forbes.com/profile/l-michelle-wilson/4002 Todd Glassey
-----Original Message----- From: Erik L [mailto:erik_list@caneris.com] Sent: Monday, April 12, 2010 3:05 PM To: Michael J McCafferty Cc: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact
Michael,
I've received numerous off-list responses yesterday. Most of them were asking if I've made contact with anyone there as they were being attacked as well. One gentleman who works at AWS (but not EC2 abuse) promised to forward my e-mail to them. I've also been reading the asterisk-users list where many have reported attacks from Amazon EC2 as well over the past few days.
At one point we were seeing 197 SIP brute force attempts per second against a customer's box. The intensity in terms of bandwidth is low, but if you do the math, you can see that this isn't the point.
This morning I received an e-mail from Amazon which was basically the same as the one you received. The attack is still on-going and I've still not made contact with a human at Amazon.
Erik
-----Original Message----- From: Michael J McCafferty [mailto:mike@m5computersecurity.com] Sent: April 12, 2010 05:16 To: Erik L Cc: nanog@nanog.org Subject: Re: Seeking Amazon EC2 abuse contact
Erik, We have several customers being attacked from the same EC2 instance on their network for 2 full days now. Contacted them at ec2-abuse@amazon.com and 25 hours later received a message that basically said, "Yep, we can confirm that a customer of ours is attacking you but that's their fault. We sometimes do stuff, but not in this case. Please don't block us, because the IP might be someone else later. Have a nice day". The telephone number in the WHOIS record goes to a general voicemail box for their legal department. A few of our customers who are being attacked by this same instance at EC2 have also contacted Amazon, and were told essentially the same thing. While I appreciate that they sent a response, I do not appreciate it's uselessness. Anyone over there at AWS that can do something willing to reply to me directly?
Thanks! Mike
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact
On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: details of someone there?
E-mailing the abuse e-mail listed in WHOIS per their
instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message".
Thanks
-- ************************************************************ Michael J. McCafferty Principal M5 Hosting http://www.m5hosting.com
You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more ************************************************************
Many thanks again to the large number of off-list responses. After making human contact, the issue was very promptly resolved by Amazon and a gentleman there has promised to look into the error on the abuse form as well. Erik ________________________________________ From: Mark Scholten [mark@streamservice.nl] Sent: Monday, April 12, 2010 9:39 AM To: Erik L; 'Michael J McCafferty' Cc: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact Hello Erik, Do you care to share the IP address? So everyone could update their firewalls to block the attacks? Even only blocking known SIP ports (5060) could be a good idea. With kind regards, Mark Scholten
-----Original Message----- From: Erik L [mailto:erik_list@caneris.com] Sent: Monday, April 12, 2010 3:05 PM To: Michael J McCafferty Cc: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact
Michael,
I've received numerous off-list responses yesterday. Most of them were asking if I've made contact with anyone there as they were being attacked as well. One gentleman who works at AWS (but not EC2 abuse) promised to forward my e-mail to them. I've also been reading the asterisk-users list where many have reported attacks from Amazon EC2 as well over the past few days.
At one point we were seeing 197 SIP brute force attempts per second against a customer's box. The intensity in terms of bandwidth is low, but if you do the math, you can see that this isn't the point.
This morning I received an e-mail from Amazon which was basically the same as the one you received. The attack is still on-going and I've still not made contact with a human at Amazon.
Erik
-----Original Message----- From: Michael J McCafferty [mailto:mike@m5computersecurity.com] Sent: April 12, 2010 05:16 To: Erik L Cc: nanog@nanog.org Subject: Re: Seeking Amazon EC2 abuse contact
Erik, We have several customers being attacked from the same EC2 instance on their network for 2 full days now. Contacted them at ec2-abuse@amazon.com and 25 hours later received a message that basically said, "Yep, we can confirm that a customer of ours is attacking you but that's their fault. We sometimes do stuff, but not in this case. Please don't block us, because the IP might be someone else later. Have a nice day". The telephone number in the WHOIS record goes to a general voicemail box for their legal department. A few of our customers who are being attacked by this same instance at EC2 have also contacted Amazon, and were told essentially the same thing. While I appreciate that they sent a response, I do not appreciate it's uselessness. Anyone over there at AWS that can do something willing to reply to me directly?
Thanks! Mike
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact
On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: details of someone there?
E-mailing the abuse e-mail listed in WHOIS per their
instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message".
Thanks
-- ************************************************************ Michael J. McCafferty Principal M5 Hosting http://www.m5hosting.com
You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more ************************************************************
On 4/12/2010 11:51, Erik L wrote:
Many thanks again to the large number of off-list responses. After making human contact, the issue was very promptly resolved by Amazon and a gentleman there has promised to look into the error on the abuse form as well.
And people say talk of routing their traffic to 600-ohm resistors doesn't do any good. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Just a follow-up: Amazon posted a response at https://aws.amazon.com/security/ which discusses the issue and what they're doing to improve things. Frank -----Original Message----- From: Erik L [mailto:erik_list@caneris.com] Sent: Monday, April 12, 2010 11:52 AM To: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact Many thanks again to the large number of off-list responses. After making human contact, the issue was very promptly resolved by Amazon and a gentleman there has promised to look into the error on the abuse form as well. Erik ________________________________________ From: Mark Scholten [mark@streamservice.nl] Sent: Monday, April 12, 2010 9:39 AM To: Erik L; 'Michael J McCafferty' Cc: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact Hello Erik, Do you care to share the IP address? So everyone could update their firewalls to block the attacks? Even only blocking known SIP ports (5060) could be a good idea. With kind regards, Mark Scholten
-----Original Message----- From: Erik L [mailto:erik_list@caneris.com] Sent: Monday, April 12, 2010 3:05 PM To: Michael J McCafferty Cc: nanog@nanog.org Subject: RE: Seeking Amazon EC2 abuse contact
Michael,
I've received numerous off-list responses yesterday. Most of them were asking if I've made contact with anyone there as they were being attacked as well. One gentleman who works at AWS (but not EC2 abuse) promised to forward my e-mail to them. I've also been reading the asterisk-users list where many have reported attacks from Amazon EC2 as well over the past few days.
At one point we were seeing 197 SIP brute force attempts per second against a customer's box. The intensity in terms of bandwidth is low, but if you do the math, you can see that this isn't the point.
This morning I received an e-mail from Amazon which was basically the same as the one you received. The attack is still on-going and I've still not made contact with a human at Amazon.
Erik
-----Original Message----- From: Michael J McCafferty [mailto:mike@m5computersecurity.com] Sent: April 12, 2010 05:16 To: Erik L Cc: nanog@nanog.org Subject: Re: Seeking Amazon EC2 abuse contact
Erik, We have several customers being attacked from the same EC2 instance on their network for 2 full days now. Contacted them at ec2-abuse@amazon.com and 25 hours later received a message that basically said, "Yep, we can confirm that a customer of ours is attacking you but that's their fault. We sometimes do stuff, but not in this case. Please don't block us, because the IP might be someone else later. Have a nice day". The telephone number in the WHOIS record goes to a general voicemail box for their legal department. A few of our customers who are being attacked by this same instance at EC2 have also contacted Amazon, and were told essentially the same thing. While I appreciate that they sent a response, I do not appreciate it's uselessness. Anyone over there at AWS that can do something willing to reply to me directly?
Thanks! Mike
Could someone from Amazon EC2 please contact me off-list regarding an abuse issue from one of their IPs? Alternatively, could someone please send me the contact
On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: details of someone there?
E-mailing the abuse e-mail listed in WHOIS per their
instructions, including all pertinent data, results in an auto-reply indicating to use a form on their site. Submitting the form results in "There has been an error while submitting your data. Please try again later." Calling their supposed NOC (as per WHOIS) results in "You have reached the legal department at Amazon...please leave a message".
Thanks
-- ************************************************************ Michael J. McCafferty Principal M5 Hosting http://www.m5hosting.com
You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more ************************************************************
participants (6)
-
Erik L
-
Frank Bulk
-
Larry Sheldon
-
Mark Scholten
-
Michael J McCafferty
-
todd glassey