[VoiceOps] VoIP Abuse Project Followups

J. Oquendo sil at infiltrated.net
Sun Sep 26 14:58:28 EDT 2010


Hey all, thanks to everyone whose mailed me both on and off-list in regards to the VoIP Abuse Project.

Before things spiral out of control, I decided to make things a bit more detailed and easier to access as well as adding all addresses of attackers, not only ARIN addressing.

There are seven sections in which I will try to keep as current as possible:

Addresses:		These are the IP addresses of bruteforcing hosts
Netblocks:		These are the netblocks of attacking hosts
Numbers Called:		These are the numbers called by attackers from my honeypots
E-mails Sent:		These are the e-mails sent to abuse desks
Responses Received:	These are the responses (if any) received in response to my e-mails
Attack logs:		These are the logs of attacks	
Defensive suggestions:	IPF/IPTables/PF based script for Asterisk PBX's
Submissions Removals: 	Information on submissions and removals


Any recommendations and or feedback is greatly appreciated. I believe the "Numbers called" section would interest investigators in determining the potential identification of an attacker. This is based upon one and a half years of monitoring, correlating and studying attack patterns. The page is self explanatory on my theories.

For admins and engineers under attack, the defensive suggestions may assist in minimizing attacks. And finally, "A Simple Asterisk Based Toll Fraud Prevention Script" (http://www.infiltrated.net/asterisk-ips.html) This document led to the framework of a honeypot I created and maintain across numerous managed, public-facing, Asterisk PBX servers. For admins, owners and engineers on the list, see removals: 

Lest I forget to give thanks to those in the industry who've given me ideas and inspiration to pursue this hobby/project: Mark Collier, David Endler (they wrote the book on Hacking VoIP which is a definite must read not only for pentesters, but for admins and engineers), Sandro Gauci for always taking the time to respond to some of my ramblings. David Hiers and the rest of the Voice-Ops list for tolerating me. Shawn Merdinger, Dan York and the rest of the VoIPSA list for tolerating my ramblings.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E



More information about the VoiceOps mailing list