[VoiceOps] Wierd SIP attacks...
John Todd
jtodd at loligo.com
Wed Aug 19 16:55:43 EDT 2009
On Aug 19, 2009, at 4:31 PM, Jason Vanick wrote:
>
> Has anybody noticed any SIP attacks coming in from 217.23.0.125 or
> other IPs
>
> the profile of the attack was basically a scan of every ip on
> several of my segments at port 5060
> the packets were all fragmented into approx 8.7k worth of data.
>
> unfortunately I don't have any sniffer captures of what they were
> trying to do.
>
> anybody else seeing anything like this lately?
>
> -J
While this is not quite enough data to go on, I'd say you're
experiencing Part I of III of the SIPvicious attack process (scan for
SIP, scan for valid UIDs, brute force passwords.)
Other tools which may be attacking you:
http://www.voipsa.org/Resources/tools.php
Protection methods are of course at your discretion, but sane IP
filtering is a good first choice (if possible) layered on top of a
good username scheme, layered on top of strict password enforcement.
Additionally, others have had some luck building dynamic filters based
on tripwire criteria such as broad sweeps of your IP space.
JT
More information about the VoiceOps
mailing list