[VoiceOps] Strange attacks over the weekend

Mon Nov 1 16:14:03 EDT 2010

Richard Barnes wrote:
> So, going back to your original question, the answer might not be
> "VoIP based botnet", but rather "VoIP targeted botnet" -- a botnet
> that's trying to brute-force passwords for access into a VoIP system.
>   

So I wasn't the only one seeing this:

http://www.stuartsheldon.org/blog/2010/11/sip-brute-force-attacks-escalate-over-halloween-weekend/

Anyhow, yesterday one of my servers (count it ONE) was hit up over 1640+
attacks from a variety of different hosts. It's really not a big deal to
see dozens, even a couple of hundred attacks hit a machine, but
something definitely seems odd. I believe someone has either done one of
the following:

1) Created a distributed "scanner slash bruteforcer" platform
2) Discovered a vulnerability in some VoIP based application
3) Created a VoIP based botnet

#2 wouldn't make any sense because they wouldn't need to bruteforce. #1
Makes more sense because at certain points in time, multiple attacks are
launched from different hosts with the numbers incremented with no host
overlapping the other. #3 is another possibility - think "Crimepack" or
some other exploit kit.

Perhaps its time to work with vendors, RFC folk and others to find some
mechanism to flag these attacks? I'm thinking of a variable to be
inserted into a SIP message that says "oh no, not on my system you
don't." While the VoIP Abuse Project is fun for me, there is no way I
will be able to perform nslookups, detail the who's who for the vast
majority of these hosts. Any suggestions?

I could do something to the tune of:

if $attacker shows_up_here

then $post $attacker DATABASE & call DB_INFO from a webpage

fi

Where others can pull from whatever addresses are visible. This would
apply to others who have their IP PBX's visible to the world for some
reason or another. I'm still scratching my head as to what occurred
yesterday though. On the above listed blog, some of the information
differs as to what I see:

1) As many as 10 parallel scans started from different hosts using
different ranges, e.g., 10.10.10.x, 10.20.20.x, 10.30.30.x would scan
say accounts 1000-1999, 2000-2999, 3000-3999 and so on.
2) As many as 5 parallel scans would start bruteforcing accounts found,
e.g., 10.10.10.x, 10.20.20.x, would start bruteforcing in parallel
accounts 1012 and 2500.
3) My honeypots began blocking attacks and immediately after, another
host would pick up where one left if. e.g., say if 10.10.10.x was
scanning 1000-1999 and was firewalled at 1200, another address picked up
the slack for 1201-1999

Right now, I haven't even parsed through the logs of my other servers as
I'm playing catch-up with work.

As it stands: http://www.infiltrated.net/voipabuse/logs/october2010.html
October 31st was a strange day, but today is no different. As of this
writing, since midnight there have been 609 attacks against one server
and it seems some attackers are heavily fiddling with international
dialing attempts (http://www.infiltrated.net/voipabuse/logs/): (Captured
calls from my Asterisk based honeypot)

$ tail -n 10 /usr/share/arcade-project/calls
001120161448455 10282010-16:34:10 - my.sanitized.address <guest> -
SIP/guest-f56150f0
3320161448455 10282010-16:34:57 - my.sanitized.address <guest> -
SIP/guest-f2f56c58
8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> -
SIP/guest-f2f00018
19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> -
SIP/guest-f6282eb8
19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> -
SIP/guest-09dda5b8
01185099930015 11012010-15:19:09 - my.sanitized.address <guest> -
SIP/guest-f62732e0
901185099930015 11012010-15:19:20 - my.sanitized.address <guest> -
SIP/guest-f6231548

# grep 448455 /usr/share/arcade-project/calls
01120161448455 10212010-04:49:05 - my.sanitized.address <guest> -
SIP/guest-09baa3a0
901120161448455 10212010-04:49:46 - my.sanitized.address <guest> -
SIP/guest-09d20250
801120161448455 10212010-04:50:32 - my.sanitized.address <guest> -
SIP/guest-09cf72a8
55520161448455 10212010-04:51:46 - my.sanitized.address <guest> -
SIP/guest-09e900a0
801120161448455 10212010-04:52:14 - my.sanitized.address <guest> -
SIP/guest-09e900a0
001120161448455 10282010-16:34:10 - my.sanitized.address <guest> -
SIP/guest-f56150f0
3320161448455 10282010-16:34:57 - my.sanitized.address <guest> -
SIP/guest-f2f56c58
8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> -
SIP/guest-f2f00018
19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> -
SIP/guest-f6282eb8
19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> -
SIP/guest-09dda5b8

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E