Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/14/2010 02:58 PM, Patrick Lists wrote:
> On 10/14/2010 09:29 PM, Rick Sewill wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> This is off topic, but I thought I should tell people.
>>
>> This past weekend, I suffered a DOS attack launched against VOIP SIP
>> Clients.  The attack came, at different times, from 3 separate IP addresses.
> 
> I don't see why you would want to attack a VoIP client. Maybe the dark 
> side knows something I don't. Recently I have seen an increase in brute 
> force register attacks from Chinese networks. But that was on Asterisk 
> servers. I had to block the following networks from which most attacks 
> originated:
> 
> 60.0.0.0/255.248.0.0
> 60.8.0.0/255.254.0.0
> 60.10.0.0/255.255.0.0
> 
> Most other attacks came from the US, France and Brazil.
> 
> Installing fail2ban may help where a single IP tries to brute force 
> itself into a SIP server. But that does not apply to a VoIP client.
> 
> Would you mind sharing which networks your attacks came from?
> 

I hesitate to answer, but will.

The people who own 67.222.1.124 and 184.106.213.202
were very cooperative and interested.

The Chinese IP address was 218.14.146.200.
I could connect to 218.14.146.200 port 80 and saw,
what I thought, was a Chinese job website...I don't know Chinese.
I apologize if the website is not Chinese.

The attack packets had a user agent name of friendly-scanner.

I assumed it was a version of something found at
http://blog.sipvicious.org/

I assume it was looking for an asterisk server.

Unfortunately, my twinkle client decided to reply.
I tried looking for a twinkle configuration option to tell twinkle to
just ignore REGISTER requests, to no avail.

A snippet of the twinkle log looked like the following:


+++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg
Received from: udp:67.222.1.124:5092
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport
Content-Length: 0
From: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx>
Accept: application/sdp
User-Agent: friendly-scanner
To: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx>
Contact: sip:123@xxxxxxx
CSeq: 1 REGISTER
Call-ID: 1066778109
Max-Forwards: 70


- ---

+++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp
Send to: udp:218.14.146.200:5069
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546
To: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>;tag=gusmt
From: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>
Call-ID: 497952175
CSeq: 1 REGISTER
Server: Twinkle/1.4.2
Content-Length: 0


- ---

+++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp
Send to: udp:218.14.146.200:5069
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090
To: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>;tag=yrkuk
From: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>
Call-ID: 1619872740
CSeq: 1 REGISTER
Server: Twinkle/1.4.2
Content-Length: 0


- ---

+++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg
Received from: udp:67.222.1.124:5092
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport
Content-Length: 0
From: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx>
Accept: application/sdp
User-Agent: friendly-scanner
To: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx>
Contact: sip:123@xxxxxxx
CSeq: 1 REGISTER
Call-ID: 2728516634
Max-Forwards: 70


- ---

+++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg
Received from: udp:218.14.146.200:5069
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport
Content-Length: 0
From: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>
Accept: application/sdp
User-Agent: friendly-scanner
To: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>
Contact: sip:123@xxxxxxx
CSeq: 1 REGISTER
Call-ID: 3719869292
Max-Forwards: 70


- ---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1
4GkAoIjl3m7n5iOrNTEORClyYtUqf68E
=MMlX
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux