Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Attackers Install DDoS Bots On Amazon Cloud

timothy posted about 2 months ago | from the fully-buzzword-compliant dept.

Security 25

itwbennett (1594911) writes "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post."

cancel ×

25 comments

Sorry! There are no comments related to the filter you selected.

Is the AWS cloud... (2, Funny)

digsbo (1292334) | about 2 months ago | (#47550321)

Is the AWS cloud so powerful that it can create a DDOS botnet that it cannot withstand?

Re:Is the AWS cloud... (2)

i kan reed (749298) | about 2 months ago | (#47550495)

Easiest DDOS ever: install a worm that makes the targeted site take part in a DDOS, and get disconnected as a security measure.

Re:Is the AWS cloud... (2)

alen (225700) | about 2 months ago | (#47550613)

being that amazon charges you for incoming and outgoing data, i don't think they really care

Only a problem for unpatched systems? (4, Insightful)

Joe Gillian (3683399) | about 2 months ago | (#47550361)

The article claims that only 1.1.x versions of Elasticsearch were vulnerable, and that the vulnerabilities were fixed in 1.2.x and 1.3.x. To me, this sounds like any company still running 1.1.x versions brought it upon themselves.

But it's the cloud... (4, Funny)

houstonbofh (602064) | about 2 months ago | (#47550367)

But it's the cloud! I don't have to worry about things like software updates and patching!

The more things change...

Re:But it's the cloud... (4, Interesting)

Richard_at_work (517087) | about 2 months ago | (#47550435)

If you choose a cloud offering which does that for you then yes, you don't have to worry about things like software updates and patching.

However, if you choose a cloud offering which is essentially a hosted server, then you still have to worry about all the things you would with your own local server, excluding power and hardware faults.

Amazon AWS is a platform provider, its not a fully managed solution and never has been - people have been caught out by that before when availability zones failed and suddenly people realised the benefit of having redundant instances in multiple availability zones.

Re:But it's the cloud... (2)

houstonbofh (602064) | about 2 months ago | (#47550535)

If you choose a cloud offering which does that for you then yes, you don't have to worry about things like software updates and patching.

I would say you still have to worry about it, and verify it was done. You just do not have to actually do it...

Re:But it's the cloud... (3, Insightful)

turbidostato (878842) | about 2 months ago | (#47551023)

"If you choose a cloud offering which does that for you then yes, you don't have to worry about things like software updates and patching."

Well, yes, you need to worry anyway.

If it's not done, because it's not done. But if it's done, because of what the update/patching breaks on your own apps.

Re:But it's the cloud... (3, Funny)

DivineKnight (3763507) | about 2 months ago | (#47550671)

Quiet you. A few more revolutions around this sun, and we'll own this planet. We've all but convinced them that they need to move everything onto the cloud, and soon thereafter that they need to upgrade to this year's CPU: ARM (preferably v6). Those of us who are quietly stashing those gigantic x86 16-core / 4 CPU beasts that companies are throwing away because 'IT & programming are last year's business' are sitting pretty for the upset that is to come...I mean, we are looking at a "Napolean won Waterloo" level of misreporting style event, and it feels good.

Re:But it's the cloud... (0)

Anonymous Coward | about 2 months ago | (#47550719)

wat?

Oh, Look! A red herring! (3, Insightful)

houstonbofh (602064) | about 2 months ago | (#47550409)

So a bunch of virtual machines were compromised that happened to be in one location where they looked. KILL AMAZON! Sigh...

Re:Oh, Look! A red herring! (3, Funny)

i kan reed (749298) | about 2 months ago | (#47550513)

Look, slashdotters are terrified of change. If you don't like that, go somewhere else.

Except that's changing things, so please don't; it's too scary.

Re:Oh, Look! A red herring! (0)

cyborg_monkey (150790) | about 2 months ago | (#47550579)

why don't you grow a sack?

Re:Oh, Look! A red herring! (1)

i kan reed (749298) | about 2 months ago | (#47551139)

(Score:-1, was it really that hard a joke to get?)

Re:Oh, Look! A red herring! (0)

Anonymous Coward | about 2 months ago | (#47551911)

I laughed internally. Don't worry, I'm not going anywhere.

Stupid sensationalism (4, Insightful)

Imagix (695350) | about 2 months ago | (#47550667)

So why is Amazon being specifically mentioned here? What makes this specific to Amazon? Is Google Compute Engine somehow immune to this? Or Azure, or any other hosting provider? Or self-hosted? Better headline: "Servers compromised through known vulnerability, admins failed to update software to close vulnerability."

Re:Stupid sensationalism (2, Interesting)

Anonymous Coward | about 2 months ago | (#47551051)

My guess is they just looked at a couple EC2 machines, and since no one uses Azure or Google Compute Engine, they just didn't bother following up on those and made a blanket statement that it applies to all environments (which it does). This has nothing to do with EC2, or Azure or any other environment, really. This is a vulnerability in a piece of 3rd party distributed search engine software that a bunch of people were too lazy to update.

The real headline just doesn't perform quite as well as the clickbait they came up with.

I choose not to cloud (1)

Anonymous Coward | about 2 months ago | (#47551217)

I am not paranoid in the least, but I know from experience that if you provide a reason for hackers to attack. No matter if that's a platform for sending out malware or DOS or whatever. Or if its just to mine personal information and exploit credit cards, identification and whatever else. The hackers will no doubt be trying to circumvent
security and you know they will succeed. I don't see cloud as any more viable then saying it will never rain again and always be Sunny. We know that will never happen. The cloud means trusting total strangers with your information as if they can. That would be like walking up to a total stranger and handing them your wallet.
Yea, maybe you will find one in a few who will honestly devote their time and effort into protecting it. Then you will have some who will throw it away blaming you for even giving them the wallet to begin with. Then you have the rest who will say "sucker" time to better myself and see what I can do with this information.
At least with handing your wallet to a person you still have that chance of detecting some sort of trust with that person. With the cloud, you do not have a personal
experience to back up that trust.

It is not so much about the cloud - it is low qual (0)

Anonymous Coward | about 2 months ago | (#47551403)

People tend to forget lessons, learned even recently. Amazon probably does not care what type of software its customers are running. There are tons of low quality software out there, like that OpenSSL code with its Heartbleed expoit, which nobody noticed for years. Who knows how many system were compromised due to this before the exploit was even discovered and reported? It was also reported that a couple of community developers, working part time, did that piece of software code, which just did cost a couple of billions for IT industry to fix. Assumption that being open source software, that code is verified by thousands of eyeballs, proved wrong. Net, net, this Amazon cloud expoit shows that Amazon cloud is a nice scalable vehicle for cheap DDOS hosting of parasitic malware within badly written code hiding somewhere among thousands of exploitable software systems. One can assume, that this is only the beginning of Amazon and other IAAS cloud vendors problems, taken into account how many low quality disorganized community code is loaded on Amazon servers today.

Oh now the Cloud is falling (1)

Anonymous Coward | about 2 months ago | (#47551507)

This would be wittier if it was Microsoft SkyDrive, but meh.

The cloud is failing. This is one specific instance of how virtualization's "lower costs" aren't lower at all. Somewhere along the line, the person responsible for this outsourcing to AWS, misunderstands that they are still responsible for security and maintenance, and in fact should be hiring MORE staff, not laying staff off to fake cost savings to shareholders. It will take only one really high profile AWS "destruction" and then no enterprise business will ever bother with cloud services again. Then we can go back to owning/leasing equipment cheaply instead of paying AWS to hold our data hostage.

EC2 servers already fire walled (0)

Anonymous Coward | about 2 months ago | (#47552409)

I have had so so many hack attempts from Amazons servers that it was just easier to fire wall ALL of them.

Re:EC2 servers already fire walled (2)

jafiwam (310805) | about 2 months ago | (#47552693)

I have had so so many hack attempts from Amazons servers that it was just easier to fire wall ALL of them.

Yup. Amazon Cloud and a couple others are completely null routed from my work network. Big sections of others overseas are blocked as well.

So far, complaints have been zero. And, we get less log and web site form harassment from misbehaving bots.

We have determined that the signal to noise ratio coming from cloud hosting services is ZERO.

Plane loo makes shit fall into the cloud (0)

Anonymous Coward | about 2 months ago | (#47553337)

bam!

Worse (0)

Anonymous Coward | about 2 months ago | (#47554803)

I'll tell you what's worse is the stupid fucking morons at Slashdot who put ads that automatically start playing and automatically jack up the volume all the way.

May you all die in a fiery car wreck, trapped and burning to death, conscious until the very last shred of flesh drips from your bones.

They note other servers for "cloud" too... apk (0)

Anonymous Coward | about 2 months ago | (#47559703)

I've been seeing a LOT of amazon-based ones out of Norton SafeWeb for months now -> http://safeweb.norton.com/buzz [norton.com]

Additionally/Per my subject-line above - & Also, from other sources like this (malwr) https://malwr.com/ [malwr.com] per the article here indicating other cloud services might be affected & abused thus:

Many are from a "cloudfront.net" server too from this sources also - like the one named "d1fob1nj1hlyjr.cloudfront.net" shown there now, for example...

(Usually with randomized names, the mark of "DGA" utilizing botnets many times, & like that one as of today's date/past few days - before malwr went down "for the count" as they just did sadly a couple days back, & they were a pretty good daily source for populating my custom hosts file vs. these threats too, + of course).

APK

P.S.=> Still, as to cloudfront - not *really* sure offhand @ least, & minus research on that latter server though, admittedly, but it may also "fit the pattern" here as well (just a "heads-up" for those of you interested) & *may* actually BE one of the "other cloud-based services" being abused also.... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>