Thursday, July 2nd, 2015, 8:54 am
Amazon Says I Need to Sue in Order to Merely Find Out Who Uses Their Own Facilities (AWS) to Attack My Site (Update)
VER the past few days I spent a lot of time (never mind emotional impact) pressuring Amazon, having already spent a lot of time battling DDOS attacks which rendered my biggest site inaccessible. After much stonewalling (I had to repeat my request about 5 times only to receive useless replies or no replies at all) I got a message. It took a very long time and much strongly-worded nagging and I finally got a reply (after a day and a half of silence) saying that Amazon cannot “release any customer information upon request. You will need to provide a valid subpoena issued by a court of law” (i.e. start legal action).
So in layman’s terms, my site got attacked by Amazon servers which were rented out to an Amazon customer and when when I ask Amazon who is doing this (so that I can take action) they say they cannot tell me and that I must go to expensive lawyers to do so, wasting both time and money in a courtroom.
I have secured evidence of the attacks by now. Tomorrow I may visit some local attorneys, provided any of them might even know what DDOS means (British police certainly didn’t understand what I was talking about when I took my complaints to them).
Here is Amazon’s reply in full:
Hello Roy,
I apologize that you are not satisfied with the communication that you have been receiving. I’d also like to apologize that you were not told that our privacy policy does not permit us to release any customer information upon request. You will need to provide a valid subpoena issued by a court of law. I am sure that you understand that there are laws we need to follow and I would also like to thank you for reporting this as we take security very seriously.
Please forward the subpoena documentation to:
Amazon.com, Inc.
Corporation Service Company
300 Deschutes Way SW, Suite 304
Tumwater, WA 98501
Attn: Legal Department – SubpoenaThe request should include the IP address(es) as well as an exact, accurate timestamp, including the timezone, associated with each address.
I apologize for any inconvenience caused by privacy laws. I can assure you that the matter is being dealt with by our specialized abuse team.
I hope that this is helpful.
Thank you for your inquiry. Did I solve your problem?
If yes, please click here:
http://www.amazon.com/gp/help/survey?p=A2O0DWEQD3E8HK&k=hy
If no, please click here:
http://www.amazon.com/gp/help/survey?p=A2O0DWEQD3E8HK&k=hn
Best regards,
[redacted]
http://aws.amazon.com
In short: Waste of money and time in order to find out who’s engaging in abuse, which is very much ridiculous. Amazon is just covering its own behind in case of lawsuits from the client over revelation of identity. Since the abusive servers are Amazon’s I suppose I can just start legal action against Amazon itself, both for DDOS and for refusal to respond to my questions regarding accountability.
My response to Amazon was as follows:
Unless Amazon is willing to settle, I am going to sue Amazon, not waste time and money sending a subpoena. The attacks on my site came, on numerous occasions, from servers owned and operated by Amazon.
Amazon, moreover, repeatedly stonewalled my requests to find out who is accountable, both inside Amazon and in its client/s, whom it is unwilling to unmask despite acknowledgement of abuse (AWS staff already confirmed this in writing).
Please provide me with the address to serve legal papers to, as I am going to sue Amazon for damages, misconducts, and waste of my time.
In the mean time, I shall continue to publicly shame Amazon for this abusive behaviour, in various social media sites and my own e.g. https://schestowitz.com/Weblog/archives/2015/06/28/aws-ddos/
Just because you rent out computing resources does not exempt you from accountability for how these are used.
Updated (29/7/2015): Amazon AWS has just replied to me. Almost ONE MONTH late. I think I know now who knocked the site offline. Bad publicly (online) probably caused this belated reaction from Amazon. To quote AWS:
Dear abuse reporter,
We sincerely apologize for the delay in addressing this abuse case. Our customer has confirmed that the party responsible for this traffic has modified their crawler appropriately. If you’d like to prevent them from crawling your site in future, you can add the following directive to your robots.txt file:
User-agent: revivebot
Disallow: /If this problem recurs, please open a new abuse report with timestamped logs showing the unwanted traffic. We will make every effort to work with you and our customer to reach a solution.
Thank you for your patience and attention to this matter.
Regards,
AWS Abuse team
July 21st, 2015 at 12:23 am
I’m curious to find out what blog platform you have been utilizing?
I’m experiencing some minor security problems with my latest site and I’d
like to find something more safe. Do you have any suggestions?