On 10/14/2010 03:56 PM, Rick Sewill wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/14/2010 02:58 PM, Patrick Lists wrote: >> On 10/14/2010 09:29 PM, Rick Sewill wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> This is off topic, but I thought I should tell people. >>> >>> This past weekend, I suffered a DOS attack launched against VOIP SIP >>> Clients. The attack came, at different times, from 3 separate IP addresses. >> I don't see why you would want to attack a VoIP client. Maybe the dark >> side knows something I don't. Recently I have seen an increase in brute >> force register attacks from Chinese networks. But that was on Asterisk >> servers. I had to block the following networks from which most attacks >> originated: >> >> 60.0.0.0/255.248.0.0 >> 60.8.0.0/255.254.0.0 >> 60.10.0.0/255.255.0.0 >> >> Most other attacks came from the US, France and Brazil. >> >> Installing fail2ban may help where a single IP tries to brute force >> itself into a SIP server. But that does not apply to a VoIP client. >> >> Would you mind sharing which networks your attacks came from? >> > I hesitate to answer, but will. > > The people who own 67.222.1.124 and 184.106.213.202 > were very cooperative and interested. > > The Chinese IP address was 218.14.146.200. > I could connect to 218.14.146.200 port 80 and saw, > what I thought, was a Chinese job website...I don't know Chinese. > I apologize if the website is not Chinese. > > The attack packets had a user agent name of friendly-scanner. > > I assumed it was a version of something found at > http://blog.sipvicious.org/ > > I assume it was looking for an asterisk server. > > Unfortunately, my twinkle client decided to reply. > I tried looking for a twinkle configuration option to tell twinkle to > just ignore REGISTER requests, to no avail. > > A snippet of the twinkle log looked like the following: > > > +++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg > Received from: udp:67.222.1.124:5092 > REGISTER sip:24.111.191.152 SIP/2.0 > Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport > Content-Length: 0 > From: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx> > Accept: application/sdp > User-Agent: friendly-scanner > To: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx> > Contact: sip:123@xxxxxxx > CSeq: 1 REGISTER > Call-ID: 1066778109 > Max-Forwards: 70 > > > - --- > > +++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp > Send to: udp:218.14.146.200:5069 > SIP/2.0 403 Forbidden > Via: SIP/2.0/UDP > 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546 > To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>;tag=gusmt > From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx> > Call-ID: 497952175 > CSeq: 1 REGISTER > Server: Twinkle/1.4.2 > Content-Length: 0 > > > - --- > > +++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp > Send to: udp:218.14.146.200:5069 > SIP/2.0 403 Forbidden > Via: SIP/2.0/UDP > 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090 > To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>;tag=yrkuk > From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx> > Call-ID: 1619872740 > CSeq: 1 REGISTER > Server: Twinkle/1.4.2 > Content-Length: 0 > > > - --- > > +++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg > Received from: udp:67.222.1.124:5092 > REGISTER sip:24.111.191.152 SIP/2.0 > Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport > Content-Length: 0 > From: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx> > Accept: application/sdp > User-Agent: friendly-scanner > To: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx> > Contact: sip:123@xxxxxxx > CSeq: 1 REGISTER > Call-ID: 2728516634 > Max-Forwards: 70 > > > - --- > > +++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg > Received from: udp:218.14.146.200:5069 > REGISTER sip:24.111.191.152 SIP/2.0 > Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport > Content-Length: 0 > From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx> > Accept: application/sdp > User-Agent: friendly-scanner > To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx> > Contact: sip:123@xxxxxxx > CSeq: 1 REGISTER > Call-ID: 3719869292 > Max-Forwards: 70 > > > - --- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1 > 4GkAoIjl3m7n5iOrNTEORClyYtUqf68E > =MMlX > -----END PGP SIGNATURE----- I have a Netgear SPH200D Skype phone connected to my firewalled router. I have to reboot SPH200D almost every other day because of hacks that bring it down. I have no idea where the hacks are coming from because I cannot login/telnet/ssh into SPH200D because it refuses these connection reqs. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
