-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/14/2010 02:58 PM, Patrick Lists wrote: > On 10/14/2010 09:29 PM, Rick Sewill wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> This is off topic, but I thought I should tell people. >> >> This past weekend, I suffered a DOS attack launched against VOIP SIP >> Clients. The attack came, at different times, from 3 separate IP addresses. > > I don't see why you would want to attack a VoIP client. Maybe the dark > side knows something I don't. Recently I have seen an increase in brute > force register attacks from Chinese networks. But that was on Asterisk > servers. I had to block the following networks from which most attacks > originated: > > 60.0.0.0/255.248.0.0 > 60.8.0.0/255.254.0.0 > 60.10.0.0/255.255.0.0 > > Most other attacks came from the US, France and Brazil. > > Installing fail2ban may help where a single IP tries to brute force > itself into a SIP server. But that does not apply to a VoIP client. > > Would you mind sharing which networks your attacks came from? > I hesitate to answer, but will. The people who own 67.222.1.124 and 184.106.213.202 were very cooperative and interested. The Chinese IP address was 218.14.146.200. I could connect to 218.14.146.200 port 80 and saw, what I thought, was a Chinese job website...I don't know Chinese. I apologize if the website is not Chinese. The attack packets had a user agent name of friendly-scanner. I assumed it was a version of something found at http://blog.sipvicious.org/ I assume it was looking for an asterisk server. Unfortunately, my twinkle client decided to reply. I tried looking for a twinkle configuration option to tell twinkle to just ignore REGISTER requests, to no avail. A snippet of the twinkle log looked like the following: +++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg Received from: udp:67.222.1.124:5092 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport Content-Length: 0 From: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx> Accept: application/sdp User-Agent: friendly-scanner To: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx> Contact: sip:123@xxxxxxx CSeq: 1 REGISTER Call-ID: 1066778109 Max-Forwards: 70 - --- +++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp Send to: udp:218.14.146.200:5069 SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546 To: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>;tag=gusmt From: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx> Call-ID: 497952175 CSeq: 1 REGISTER Server: Twinkle/1.4.2 Content-Length: 0 - --- +++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp Send to: udp:218.14.146.200:5069 SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090 To: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx>;tag=yrkuk From: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx> Call-ID: 1619872740 CSeq: 1 REGISTER Server: Twinkle/1.4.2 Content-Length: 0 - --- +++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg Received from: udp:67.222.1.124:5092 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport Content-Length: 0 From: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx> Accept: application/sdp User-Agent: friendly-scanner To: "2299812582" <sip:2299812582@xxxxxxxxxxxxxx> Contact: sip:123@xxxxxxx CSeq: 1 REGISTER Call-ID: 2728516634 Max-Forwards: 70 - --- +++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg Received from: udp:218.14.146.200:5069 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport Content-Length: 0 From: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx> Accept: application/sdp User-Agent: friendly-scanner To: "3096784503" <sip:3096784503@xxxxxxxxxxxxxx> Contact: sip:123@xxxxxxx CSeq: 1 REGISTER Call-ID: 3719869292 Max-Forwards: 70 - --- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1 4GkAoIjl3m7n5iOrNTEORClyYtUqf68E =MMlX -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
