April 18, 2010

There have been some recent discussions about SIP brute force attacks originating from Amazon EC2. We can confirm that several users reported SIP brute force attacks originating from a small number of Amazon EC2 instances about a week ago. It appears these attacks were designed to exploit security vulnerabilities in the SIP protocol. There is nothing specific about this attack that requires Amazon EC2. It was a brute force attack that could be launched from any computer on any network.

The behavior of these instances clearly violated our terms of usage. We responded to the abuse reports according to our normal abuse reporting procedures and shut down the abusive account when we were able to confirm the abusive behavior. We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down. Our terms of usage are clear and we continually monitor and work to make sure the services aren’t used for illegal activity. It’s important to note that we take the privacy of our customers very seriously, and don’t inspect the contents of instances. This is part of the reason that legitimate customers of all types are comfortable running production applications on Amazon EC2. However, when abuse is detected, we are able to act swiftly to isolate the abusive behavior.

We are looking closely at this event to determine how we can respond better in the future. First, we have made modifications to our abuse detection protocols so we can more quickly and identify SIP based abuse in the future. We are also engaging significant SIP providers to open up communication channels so we can quickly respond to any significant SIP abuse that is not detected in the future. Finally, we are working on making modifications to our abuse reporting mechanisms to better assure we respond promptly in situations like these.

If you suspected misuse of Amazon EC2, please email trustandsafety@support.aws.com.