Friday, February 12, 2010

Forecast: Cloudy with a Chance of Low Visibility

Now that I have had a chance to re-coup from Shmoocon and the associated Shmoosnow Apocalypse, I wanted to get this post up. Great CON BTW! If you have the chance to go in the future, don't hesitate!

In December, I began noticing an uptick in scans looking for TCP 1080 (socks proxy) on my corporate firewalls. Not that unusual. But by New Years Day the scans began accounting for a large percentage of all deny's logged to my syslog servers. After some investigating, the fact that all source IP's were registered to Amazon's Ec2 Elastic cloud services became apparent. Egress filtering did not indicate any outbound connections to the IP addresses in question.

So began my adventures in reporting the issue to the Amazon abuse black hole. I initially reported the top source offender via on Thursday January 7, 2010 and "promptly" received the following email on Monday January 11th.
Please file a report at

It is possible that the activity you see comes from an Amazon EC2 instance. This activity that you report was not, however, initiated by Amazon.

One of the biggest advantages of Amazon EC2 is that developers are given complete control of their instances. While the IPs may indicate that the network is Amazon's, our developer customers are the ones controlling the instances. You may learn more about EC2 at

That said, we do take reports of unauthorized network activity from our environment very seriously. It is specifically forbidden in our terms of use.

In order for us to identify the actual customer, please provide
* src IP
* dest IP (your IP)
* dest port
******************** Accurate date/timestamp and timezone of activity**************************
* Intensity/frequency (short log extracts)
* Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.

Thank you

Best regards,

-EC2 Abuse Team

I obliged but cursed as I fought to fill out the report on the badly designed web form which kept throwing vague invalid input errors. The forms purpose is to facilitate the reporting of abuse between the reporter and Amazon EC2 customer while keeping both anonymous. So I attempted to keep a positive outlook with the hope that my time may assist an Amazon EC2 customer with a possible compromise.

After a week of no response, I followed up with their follow-up form located at here. During this time the scanning for open proxies on my firewalls had escalated and was accounting for more than 30% of all daily denied connections. So I began submitted the top source IP's (all Amazon EC2 addresses) with the associated logs. To date I have not received one response from any submissions.

So I wanted to share the breakdown of 30 days of logs acquired from my production firewalls. Destination port TCP 1080 made up 35.7% of all denied connections during the month of January 2010 (see breakdown of ports below).

Of those connection attempts, 43.7% of all source addresses resided from the same 10 addresses which were all registered to Amazon's EC2 Cloud services. All source addresses checked from the remaining sources were also registered to Amazon Ec2 Cloud services but for obvious reasons I did not check every source address. The amount of connection attempts has dropped since the end of January but are they still occurring at a good clip.

Others have noted abuse of Amazon EC2 cloud services in the past. Brian Krebs formerly of The Washington Post and now at Krebs On Security wrote about his experience with spammers leveraging Amazon EC2 services in July 2008. More recently, Amazon was found hosting command and control servers for the Zeus botnet. And while editing this post yesterday, I came across this article at ZDNet UK on subject. The article contains some good quotes from Rik Ferguson, Senior Security Adviser at Trend Micro.
"One of the things that persuades me personally that the cloud is absolutely a viable model and has longevity is that it has already been adopted by criminals," Ferguson said. "They are the people who are leading-edge adopters of technology that is going to work and going to stick around for a long time."
 "But now that criminals are moving into cloud services, what are you going to do? Block EC2 [Amazon Elastic Compute Cloud]? It becomes very much more difficult and I think that is an area that security companies and security professionals need to focus on."
Every ISP and ASP out there has to deal with issues similar to this. Let's face it the problem is not going away anytime soon. However, with the loss of visibility associated with the dynamic nature of cloud services, attractiveness of easy provisioning and setup for the non-technical, and the service providers desire to provide privacy for its customers, cloud services are certainly ripe for abuse. Let's hope providers, such as Amazon, can find a happy medium of providing needed services and privacy for its customers while offering others an effective mechanism for reporting and deterring any misuse and exploitation.

No comments:

Post a Comment