[VoiceOps] Strange register attack
Peter Childs
PChilds at internode.com.au
Thu Nov 25 23:03:28 EST 2010
sql> select count(ua) from sip_trace where ua = 'friendly-scanner';
COUNT(UA): 22330
We get thousands of these scans from all over the joint all the time.
That is in the last 8 hours...
sql> select count(fromip), fromip from sip_trace where ua = 'friendly-scanner' group by fromip;
COUNT(FROMIP): 3
FROMIP : 124.195.52.250
COUNT(FROMIP): 1
FROMIP : 124.254.44.172
COUNT(FROMIP): 13127
FROMIP : 202.101.187.66
COUNT(FROMIP): 9199
FROMIP : 74.218.78.29
(4 rows, 10201 ms)
I occasionally have discussions with others about http://tools.ietf.org/html/rfc5635 using some thresholds to block some of these at the border, with the problem being that one day someone will use some cloud platform and we will take out we shouldn't.
The ACME SBCs we use seem to eat this stuff up ok, but some of the issues we encounter
1. Customers with SIP CPE where a high volume of SIP trash causes the CPE to lock
2. Customers running Asterisk implementations getting cracked and owned
Cheers,
Peter
On 26/11/2010, at 1:32 PM, Colin wrote:
> Tonight i'm seeing hundreds of register attempts per second to one of my SBC's from an IP in china 61.142.250.96.
>
> the From: and to: line is always one of these 2 below.
>
> \"118\" <sip:118 at my SBC IP>; source port 5063
> \"qwerty\" <sip:qwerty at my SBC IP>; source port 5067
>
>
>
> user-agent: friendly-scanner is always.
>
> Looks like sipvicious default user agent. Anyone seen a register flood like this before?
>
>
>
> Colin
>
>
>
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
More information about the VoiceOps
mailing list