[VoiceOps] Strange register attack

Leandro Dardini ldardini at gmail.com
Fri Nov 26 03:08:34 EST 2010


Hello,
I run a little IP PBX on Linux in my home with a public IP on a cheap DSL
line and often I see this kind of "attack". After having the fail2ban
blocked them at firewall level, they still use several KB/s of my slow
Internet connection and this it really upsetting me.

I end writing to the abuse department of the provider hosting the server and
after one or two days, the flow stops. If you have only few hosts sending
probe, make them stop, the world will be a better place...

For now I have dealed with hosting from Europe and US, never found someone
from china... maybe they haven't an abuse@ email address.

I never had to setup a "fight back" strategy, but I think it will acceptable
to over flow the host sending probes with hundred of megabits of UDP packets
(with a clear payload).

Leandro

2010/11/26 Peter Childs <PChilds at internode.com.au>

>
> sql> select count(ua) from sip_trace where ua = 'friendly-scanner';
> COUNT(UA): 22330
>
> We get thousands of these scans from all over the joint all the time.
>
> That is in the last 8 hours...
>
> sql> select count(fromip), fromip from sip_trace where ua =
> 'friendly-scanner' group by fromip;
> COUNT(FROMIP): 3
> FROMIP       : 124.195.52.250
>
> COUNT(FROMIP): 1
> FROMIP       : 124.254.44.172
>
> COUNT(FROMIP): 13127
> FROMIP       : 202.101.187.66
>
> COUNT(FROMIP): 9199
> FROMIP       : 74.218.78.29
> (4 rows, 10201 ms)
>
>
> I occasionally have discussions with others about
> http://tools.ietf.org/html/rfc5635 using some thresholds to block some of
> these at the border, with the problem being that one day someone will use
> some cloud platform and we will take out we shouldn't.
>
> The ACME SBCs we use seem to eat this stuff up ok, but some of the issues
> we encounter
>        1. Customers with SIP CPE where a high volume of SIP trash causes
> the CPE to lock
>        2. Customers running Asterisk implementations getting cracked and
> owned
>
> Cheers,
>   Peter
>
> On 26/11/2010, at 1:32 PM, Colin wrote:
>
> > Tonight i'm seeing hundreds of register attempts per second to one of my
> SBC's from an IP in china 61.142.250.96.
> >
> > the From: and to: line is always  one of these 2 below.
> >
> > \"118\" <sip:118 at my SBC IP>;    source port  5063
> > \"qwerty\" <sip:qwerty at my SBC IP>;  source port 5067
> >
> >
> >
> > user-agent: friendly-scanner is always.
> >
> > Looks like sipvicious default user agent. Anyone seen a register flood
> like this before?
> >
> >
> >
> > Colin
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > VoiceOps mailing list
> > VoiceOps at voiceops.org
> > https://puck.nether.net/mailman/listinfo/voiceops
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20101126/a1616165/attachment.html>


More information about the VoiceOps mailing list