Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  On 10/14/2010 03:56 PM, Rick Sewill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/14/2010 02:58 PM, Patrick Lists wrote:
>> On 10/14/2010 09:29 PM, Rick Sewill wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>> This is off topic, but I thought I should tell people.
>>>
>>> This past weekend, I suffered a DOS attack launched against VOIP SIP
>>> Clients.  The attack came, at different times, from 3 separate IP addresses.
>> I don't see why you would want to attack a VoIP client. Maybe the dark
>> side knows something I don't. Recently I have seen an increase in brute
>> force register attacks from Chinese networks. But that was on Asterisk
>> servers. I had to block the following networks from which most attacks
>> originated:
>>
>> 60.0.0.0/255.248.0.0
>> 60.8.0.0/255.254.0.0
>> 60.10.0.0/255.255.0.0
>>
>> Most other attacks came from the US, France and Brazil.
>>
>> Installing fail2ban may help where a single IP tries to brute force
>> itself into a SIP server. But that does not apply to a VoIP client.
>>
>> Would you mind sharing which networks your attacks came from?
>>
> I hesitate to answer, but will.
>
> The people who own 67.222.1.124 and 184.106.213.202
> were very cooperative and interested.
>
> The Chinese IP address was 218.14.146.200.
> I could connect to 218.14.146.200 port 80 and saw,
> what I thought, was a Chinese job website...I don't know Chinese.
> I apologize if the website is not Chinese.
>
> The attack packets had a user agent name of friendly-scanner.
>
> I assumed it was a version of something found at
> http://blog.sipvicious.org/
>
> I assume it was looking for an asterisk server.
>
> Unfortunately, my twinkle client decided to reply.
> I tried looking for a twinkle configuration option to tell twinkle to
> just ignore REGISTER requests, to no avail.
>
> A snippet of the twinkle log looked like the following:
>
>
> +++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg
> Received from: udp:67.222.1.124:5092
> REGISTER sip:24.111.191.152 SIP/2.0
> Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport
> Content-Length: 0
> From: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
> Contact: sip:123@xxxxxxx
> CSeq: 1 REGISTER
> Call-ID: 1066778109
> Max-Forwards: 70
>
>
> - ---
>
> +++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp
> Send to: udp:218.14.146.200:5069
> SIP/2.0 403 Forbidden
> Via: SIP/2.0/UDP
> 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546
> To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>;tag=gusmt
> From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
> Call-ID: 497952175
> CSeq: 1 REGISTER
> Server: Twinkle/1.4.2
> Content-Length: 0
>
>
> - ---
>
> +++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp
> Send to: udp:218.14.146.200:5069
> SIP/2.0 403 Forbidden
> Via: SIP/2.0/UDP
> 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090
> To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>;tag=yrkuk
> From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
> Call-ID: 1619872740
> CSeq: 1 REGISTER
> Server: Twinkle/1.4.2
> Content-Length: 0
>
>
> - ---
>
> +++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg
> Received from: udp:67.222.1.124:5092
> REGISTER sip:24.111.191.152 SIP/2.0
> Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport
> Content-Length: 0
> From: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
> Contact: sip:123@xxxxxxx
> CSeq: 1 REGISTER
> Call-ID: 2728516634
> Max-Forwards: 70
>
>
> - ---
>
> +++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg
> Received from: udp:218.14.146.200:5069
> REGISTER sip:24.111.191.152 SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport
> Content-Length: 0
> From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
> Contact: sip:123@xxxxxxx
> CSeq: 1 REGISTER
> Call-ID: 3719869292
> Max-Forwards: 70
>
>
> - ---
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1
> 4GkAoIjl3m7n5iOrNTEORClyYtUqf68E
> =MMlX
> -----END PGP SIGNATURE-----
I have a Netgear SPH200D Skype phone
connected to my firewalled router.
I have to reboot SPH200D almost every other day
because of hacks that bring it down. I have no idea where
the hacks are coming from because I cannot login/telnet/ssh
into SPH200D because it refuses these connection reqs.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux