Amazon EC2's spam and malware problems

[Ben Yamin]

http://taint.org/2008/07/02/162007a.html

[Chris Sears]

Abuse like this is nothing new in the world of shared, dedicated and colo hosting. Amazon has clearly taken a hands off approach to managing EC2 instances, much like an unmanaged dedicated server hosting provider.

People calling for Amazon to proactively police EC2 for spam and malware are misguided. As an EC2 user, I should be able to send all the spam and serve all the malware I want. I could easily be doing legitimate security research using my EC2 instances, testing my antivirus software or probing my spam gateway software. Amazon can't do anything substancial to block spam or malware without decreasing quality of service to "normal" EC2 users. Outbound port 25 filtering, for example, is very difficult to implement in practice and forces Amazon to get their hands into users apps/traffic in a way that I don't think they should or want to do.

What's the solution? People need to stop expecting every corner of the Internet to be actively policed. It's not and it will never be. Mail servers should not trust mail from Amazon EC2 IPs (by default) and that's fine. You shouldn't trust any mail server IP by default from any network. Likewise for malware hosting/serving. Fighting for active policing and network filtering is a loosing battle. Instead, they should accept it and treat EC2's network just like a Chinese dedicated server hosting provider.

 - Chris

[Larry Ludwig]

 

Abuse like this is nothing new in the world of shared, dedicated and colo hosting. Amazon has clearly taken a hands off approach to managing EC2 instances, much like an unmanaged dedicated server hosting provider. 

 

 

Yes it also shows how much inexperience is out there.  Many people who think sysadmin work is easy.  This isn't just an EC2 issue but an internet wide issue.  If I got a $1.00 for each ssh/ftp/pop3/imap login attempt to our network :-(

 

Unmanaged offerings like EC2 not only allow spammers to directly use their service and then disapear, but also many customers will also be hacked and send out spam unkowning.  Keep in mind EC2 instances could also be used in a DDOS attack.  Hacker needs more resources to attack someone?  Use a service like EC2 that is completely automatic.  A hackers haven if you ask me.

 

I love this commenter in the blog post :-)

"Who’s the moron who set up a system that allows any one to keep creating instant spam boxes? Holy f****! When you set the damn thing up an instance should have automatically been tied to the account and the account LOCKED when an instance is killed due to abuse."

 

What's different than a traditional hosting provider with just static IPs.  With EC2 ip pool is you may get an IP address from amazon that's been blacklisted.

 

-L

--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Managed Xen based VPSes
http://www.hostcube.com/

[Larry Ludwig]

On Jul 3, 12:45 pm, "Chris Sears" <cse...@gmail.com> wrote:

>
> People calling for Amazon to proactively police EC2 for spam and malware are
> misguided. As an EC2 user, I should be able to send all the spam and serve
> all the malware I want. I could easily be doing legitimate security research
> using my EC2 instances, testing my antivirus software or probing my spam
> gateway software.

This doesn't hold up if you are comparing to unmanaged providers.
Unless they are asleep at the wheel, no provider is going to allow you
to send spam. If they get enough reports they will shut you down.

[Randy Bias]

On Jul 3, 2008, at 12:03 PM, Larry Ludwig wrote:

Keep in mind EC2 instances could also be used in a DDOS attack.

This is largely a red herring.  At 20 instances max for a default account, it's improbable that someone will have the desire, will, or number of stolen credit cards to built a viable attack platform.

While it's feasible, it's not economically sound as it's cost prohibitive for your average attacker.  It's much easier (and probably faster) to infect and build your own botnet of 10K+ systems.

Or, if you want to spend money, rent someone else's botnet as the attack platform.  My understanding is that it's only a few hundred dollars to rent a 50,000 host botnet for a few hours.  Certainly much more economically viable than using EC2.

--Randy

Randy Bias, Founder, CloudScale

(877) 636-8589, ran...@cloudscale.net

blog: http://neotactics.com/blog

[Chris Sears]

On Thu, Jul 3, 2008 at 3:12 PM, Larry Ludwig <larr...@gmail.com> wrote:

This doesn't hold up if you are comparing to unmanaged providers.
Unless they are asleep at the wheel, no provider is going to allow you
to send spam.  If they get enough reports they will shut you down.

True. Let me clarify. Reactively responding to spam reports is fine and reasonable. What I have a problem with is people calling for Amazon to block outbound port 25 traffic except through some Amazon-managed filtering SMTP gateways. I consider that overreaching. In my experience, only low-end unmanaged hosting providers force such an anti-spam system upon customers.

[Chris Sears]

On Thu, Jul 3, 2008 at 6:22 PM, Randy Bias <ran...@cloudscale.net> wrote:

Or, if you want to spend money, rent someone else's botnet as the attack platform.  My understanding is that it's only a few hundred dollars to rent a 50,000 host botnet for a few hours.  Certainly much more economically viable than using EC2.

Great point. So do botnets qualify as cloud computing?

[Randy Bias]

It's definitely at the point where it should be considered for that classification, although I still think one of the defining requirements is an API.  Still, some folks (e.g. Joyent) claim to be clouds sans an API, so I guess the answer is: no if you think a cloud needs an API and yes if you don't.

[Chris Sears]

On Mon, Jul 7, 2008 at 5:04 PM, Randy Bias <ran...@cloudscale.net> wrote:

On Jul 7, 2008, at 1:05 PM, Chris Sears wrote:

Great point. So do botnets qualify as cloud computing?

It's definitely at the point where it should be considered for that classification, although I still think one of the defining requirements is an API.  Still, some folks (e.g. Joyent) claim to be clouds sans an API, so I guess the answer is: no if you think a cloud needs an API and yes if you don't.

I couldn't agree more about an API being a requirement for a true cloud computing. My understanding of most botnets are that they do have APIs, sometimes implemented via IRC, but still an API. Could anyone manage a 100,000+ node botnet without command and control API? Probably not.

 - Chris

[Patrick Auld]

I'll prefix this with saying that I don't have any experience with botnets, however your assuming that a very organized and profitable industry wouldn't implement an API for its services. 

I agree with you though that an API is a defining factor of the cloud.

--
-Patrick Auld
work. 415.287.0004
cell. 707.483.0833

[Greg Pfister]

On Jul 3, 1:18 am, "Ben Yamin" <benyami...@gmail.com> wrote:
> http://taint.org/2008/07/02/162007a.html

So, OK, here we've got this marvelous new cloud computing technology
that lets anybody set up a server farm faster, cheaper, and more
scaleably than ever before.

Of *course* it will be used for spam. And porn. And gambling. And
every other possible socially-unacceptable but profitable application.
The people doing those things may be immoral by many common standards,
but that doesn't mean they're dumb or ignorant. This is all to be
expected. Porn built the web -- or at least the browsers. Ask somebody
who was building graphics into early browsers what they got most of
their bug reports, and therefore test images.

About the blacklisting, I seem to recall that Earthlink was at one
point notorious for hosting spammers. What happened there? Anybody
know? Earthlink's still around, so either they clamped down or
blacklists got more sophisticated.

Just the same, I'd personally be happier if Amazon threw a brick at
those apps. And I, too, loved the "morons" post. :-) I wonder what the
interaction might be in Google Apps to something like this, given
Google's "no evil" position.

--
Greg

[Randy Bias]

Good point. You are correct, of course. This should be a usable API
mechanism. So I guess that means that botnets should be considered
clouds.

On Jul 7, 2008, at 2:35 PM, Chris Sears wrote:
> My understanding of most botnets are that they do have APIs,
> sometimes implemented via IRC,

--Randy

[Khazret Sapenov]

Randy,

How about no/low entry barrier ?

Can you saturate large size network or ddos service spending only $4.95 dollars?

Or call to 1-800-BOTNET for support and have SLA with 30-days money-back guarantee? :)

 

As for the topic itself, IMO, it is similar to those cases with schoolchildren, suddenly going insane and shooting everyone. They have clean criminal record, machine gun, knowledge of area, free, admission policies and some vague reason to do bad thing. To prevent massive casualties, one need to introduce curfew, quickly becoming unpopular.

 

What can we do to prevent massive abuse of technical means in a cloud? Until someone finds universal remedy, I think we should protect last mile, in case of spam, it is antispam filter, virus - antivirus, routers already filtering UDP multicast etc.

 

all the best,

Khaz Sapenov

 

[On SaaS]

Khaz,

Can you saturate large size network or ddos service spending only $4.95 dollars?

Or call to 1-800-BOTNET for support and have SLA with 30-days money-back guarantee? :)

Nobody said a cloud must be public and server others. It can easily be a private cloud used by the owner only. :)

I would bet you $1 cash/trash that the owner of the bot-cloud can get better SLA than from a public cloud.

Jian

--

OnSaaS.net - Blogging about the SaaS and cloud computing world

OnSaaS.info - Providing a continuous stream of SaaS and cloud computing news

Follow on http://twitter.com/onsaas, http://friendfeed.com/onsaas

[Khazret Sapenov]

On Tue, Jul 8, 2008 at 1:20 AM, On SaaS <ons...@gmail.com> wrote:

Khaz,

Can you saturate large size network or ddos service spending only $4.95 dollars?

Or call to 1-800-BOTNET for support and have SLA with 30-days money-back guarantee? :)

Nobody said a cloud must be public and server others. It can easily be a private cloud used by the owner only. :)

I would bet you $1 cash/trash that the owner of the bot-cloud can get better SLA than from a public cloud.

Jian

 

Jian,

Private clouds are much easier to manage/control in context of abuse, and perhaps PCs never suffer from spam (imagine your colleague sending you Nigerian letters/Viagra/pron offers to get pay off their morgage). I would classify those cases as hypothetical.

 

Don't forget, that botnet activity is illegal, whatever SLA they offer it might end up pretty quickly with unexpected outcomes for both of parties.

 

cheers,

Khaz Sapenov

 

 

[Randy Bias]

On Jul 7, 2008, at 10:17 PM, Khazret Sapenov wrote:

On Tue, Jul 8, 2008 at 12:46 AM, Randy Bias <ran...@cloudscale.net> wrote:

Good point.  You are correct, of course.  This should be a usable API
mechanism.  So I guess that means that botnets should be considered
clouds.

On Jul 7, 2008, at 2:35 PM, Chris Sears wrote:
>  My understanding of most botnets are that they do have APIs,
> sometimes implemented via IRC,

 

Randy,

How about no/low entry barrier ?

Can you saturate large size network or ddos service spending only $4.95 dollars?

Or call to 1-800-BOTNET for support and have SLA with 30-days money-back guarantee? :)

Not really sure I understand your point.  I was simply explaining the value proposition of botnets to the underground community, not advocating them as a computing resource.

What can we do to prevent massive abuse of technical means in a cloud? Until someone finds universal remedy, I think we should protect last mile, in case of spam, it is antispam filter, virus - antivirus, routers already filtering UDP multicast etc.

I think that trying to make clouds generally safer is a great idea, but I'm not sure that any of these approaches are reasonable.  I don't want my compute resources to have arbitrary filtering employed in case I need one of the services being filtered for production usage.

It would be much better if either the community or Amazon policed the cloud pro-actively finding problems and notifying the owners rather than enforcing some kind of draconian controls for the 'good of the community'.  

Just my $0.02.

[Sassa NF]

To obtain a 10K+ botnet, the zoo-keeper couldn't have hacked each of
the victims individually. So the zombification strategy should scale
before they can scale the attacks of the other kinds using the botnet.

What I was going to say, is that the price of the botnet-hour is
perhaps synthetic rather than being based on some software
development+IT shop business model. This might mean that the price of
using the botnet might be a lot lower really.

On the other note, do the cloud providers offer _client_ scaling
(where the cloud is a mass of clients, instead of services). Botnets
mostly offer bandwidth, rather than MFlops. That might be the
difference between EC2 and 10K+ botnet.

Sassa

2008/7/8 Khazret Sapenov <sap...@gmail.com>: