[VoiceOps] Strange register attack

Darren Schreiber d at d-man.org
Fri Nov 26 00:03:13 EST 2010 

We've been suffering from this, too. The SIP headers are hacked and
completely bogus. They seem to be from only a few select IPs from us.

I'm about ready to abandon port 5060 :-)

- Darren


On 11/25/10 9:03 PM, "Peter Childs" <PChilds at internode.com.au> wrote:

>
>sql> select count(ua) from sip_trace where ua = 'friendly-scanner';
>COUNT(UA): 22330
>
>We get thousands of these scans from all over the joint all the time.
>
>That is in the last 8 hours...
>
>sql> select count(fromip), fromip from sip_trace where ua =
>'friendly-scanner' group by fromip;
>COUNT(FROMIP): 3
>FROMIP       : 124.195.52.250
>
>COUNT(FROMIP): 1
>FROMIP       : 124.254.44.172
>
>COUNT(FROMIP): 13127
>FROMIP       : 202.101.187.66
>
>COUNT(FROMIP): 9199
>FROMIP       : 74.218.78.29
>(4 rows, 10201 ms)
>
>
>I occasionally have discussions with others about
>http://tools.ietf.org/html/rfc5635 using some thresholds to block some of
>these at the border, with the problem being that one day someone will use
>some cloud platform and we will take out we shouldn't.
>
>The ACME SBCs we use seem to eat this stuff up ok, but some of the issues
>we encounter
>    1. Customers with SIP CPE where a high volume of SIP trash causes the
>CPE to lock
>    2. Customers running Asterisk implementations getting cracked and
>owned
>
>Cheers,
>  Peter
>
>On 26/11/2010, at 1:32 PM, Colin wrote:
>
>> Tonight i'm seeing hundreds of register attempts per second to one of
>>my SBC's from an IP in china 61.142.250.96.
>> 
>> the From: and to: line is always  one of these 2 below.
>> 
>> \"118\" <sip:118 at my SBC IP>;    source port  5063
>> \"qwerty\" <sip:qwerty at my SBC IP>;  source port 5067
>> 
>> 
>> 
>> user-agent: friendly-scanner is always.
>> 
>> Looks like sipvicious default user agent. Anyone seen a register flood
>>like this before?
>> 
>> 
>> 
>> Colin
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>_______________________________________________
>VoiceOps mailing list
>VoiceOps at voiceops.org
>https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list