Comments on: Denial-of-service attack on Amazon S3

By: cardbox

cardbox — Wed, 21 Jun 2006 06:17:12 +0000

You’ll have to ask Symantec. They wrote Norton Anti-Virus so they will know what the messages mean.

By: D. Richter

D. Richter — Tue, 20 Jun 2006 23:17:39 +0000

What if the IP address is not that of Amazon & you were not downloading anything from Amazon S3? The IP address listed on my Norton is 70.183.191.43(http(80)) with no mention of Amazon S3? Is it still some type of worm? Thank you! Deborah

By: cardbox

cardbox — Mon, 12 Jun 2006 11:38:19 +0000

Markus, you are quite right, this is essentially a problem caused by badly engineered and overzealous intrusion detection software. But remember that users know (because Symantec spend a lot of money telling them) that Norton Internet Worm Protection protects their systems and cannot possibly do any harm: indeed, that a Windows system without Norton is only half a system and only irresponsible people would use it. Given the certainty that Norton can never be at fault, the user will perceive this attack as a problem with the first web service that he sees being attacked. Anyone who has ever sold software for Windows will know how much time is wasted working round the interference caused by undocumented, badly thought through anti-virus software. Without any public acknowledgement of what the software is actually doing, how it does it, and whether any of it makes sense, there is no pressure on the vendors to produce anything better. Microsoft themselves are not innocent in this regard: they regularly release Windows "security updates" that stop perfectly normal software from working: see, for example, our forum postings from 27 July 2005, 14 October 2005, and 21 April 2006. For the moment, problems such as the one I have described in this posting will be perceived by users as being problems with the Amazon S3 service, or with whatever other web service they are accessing - or with programs built on those services - because they know that nothing else can be at fault. But what is interesting is that at last we have a chance of reaching a tipping point, when "Amazon S3 has problems on an ordinary Windows system [which happens to be running Norton]" suddenly flips over into "Norton causes problems for ordinary Windows systems [which happen to be accessing Amazon]". This could not happen as long as the victims of Norton's PR-heavy incompetence were small software vendors; but now that some big players will be suffering, and there is real money involved, the change has a chance of really taking place. At that point, users will stop seeing anti-virus software as a panacea and will start considering its quality and what it actually does; and the vendors will have to change their culture completely in order to accommodate this. For many of them, this switch from undocumented, feature-laden (broadly speaking) "American" to "European" attitudes to software quality will turn out to be impossible.

By: Markus Kuhn

Markus Kuhn — Mon, 12 Jun 2006 10:43:26 +0000

I’m surprised that you describe this as a vulnerability of Amazon’s S3. This has really nothing at all to do with Amazon S3 or even with any particular class of web services. This denial-of-service attack is entirely created and caused by a badly engineered, oversensitive intrusion-detection-system with overzealous automated response (namely blocking an IP address forever) on your computer, in your particular example Norton Internet Worm Protection. Amazon’s S3 became merely by accident the service that you happend to be playing with when you first stumbled across how dangerous it can be to install too aggressive intrusion-detection systems on your PC. They far too easily become the problem rather than a solution and ultimately increase the attackable surface of your PC by adding lots of badly thought through functionality to your local network stack. I would never want to buy or install any product that destroys the binary transparency of my network connections.