[VoiceOps] Strange attacks over the weekend
Alex Balashov
abalashov at evaristesys.com
Mon Nov 1 16:28:03 EDT 2010
One of our large local customers here in Atlanta was hit with a
brute-force and extremely intensive REGISTER scan late this
morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in
Argentina, 1 in Russia, and one other from the Philippines that I don't
have on hand:
125.162.94.57
110.137.65.131
186.137.208.202
217.118.90.189
... that we could identify. We don't know if they were part of a
coordinated scan or just launched in parallel, but they were fairly
sophisticated in that they detected the nomenclature and length
assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized, I
suppose) and zeroed in on those.
No toll fraud took place, but they did take down several Asterisk
processes due to Asterisk's inability to cope with this volume of
requests. I would have put the intensity at about ~5-10 per second.
--
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the VoiceOps
mailing list