[VoiceOps] Strange attacks over the weekend

J. Oquendo sil at infiltrated.net
Mon Nov 1 16:44:49 EDT 2010


Alex Balashov wrote:
> One of our large local customers here in Atlanta was hit with a
> brute-force and extremely intensive REGISTER scan late this
> morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in
> Argentina, 1 in Russia, and one other from the Philippines that I
> don't have on hand:
>
>   125.162.94.57
>   110.137.65.131
>   186.137.208.202
>   217.118.90.189
>
> ... that we could identify.  We don't know if they were part of a
> coordinated scan or just launched in parallel, but they were fairly
> sophisticated in that they detected the nomenclature and length
> assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized,
> I suppose) and zeroed in on those.
>
> No toll fraud took place, but they did take down several Asterisk
> processes due to Asterisk's inability to cope with this volume of
> requests.  I would have put the intensity at about ~5-10 per second.
>
None of those hosts are visible to me:

# echo "125.162.94.57
110.137.65.131
186.137.208.202
217.118.90.189" | while read luzer ; do grep -c $luzer OCT ; done
0
0
0
0

Max connects I've seen in parallel so far, 11 addresses all scattered.
Definitely a cut above the typical attack. I want to say
someone/some_group is creating, has created or something is evolving. On
the flip side, "from the rumor mill," someone told me that all the
offending hosts seemed to be running an ftp server primarily on OpenBSD
based machines. It is rumored that 5 machines out of 5 reverse-recon'd
were OpenBSD boxes.

Anyhow, if I had to parse together what I believe occurred is/was:
Someone either created or is in the process of creating some form of C&C
targeting IP PBX's which use SIP for registrations. Judging by the
volume, the extensions/usernames targeted and the sources of the attack,
they likely did some form of "parallel incrementing" recon and
registration attempts (bruteforcing): "China you start with these
extensions, Russia with these, Brazil with those and if someone gets
blocked, then Poland pick it up, etc., etc." Who knows. What I DO KNOW
is they're constantly fiddling with international numbers almost often
to the same numbers. Even when they fail, they'll still come back a week
or two later and try some new and (un)improved insertions to try and
make calls. I DO KNOW factually, these endpoint numbers are in some
shape form or fashion under their control.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E



More information about the VoiceOps mailing list