Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079113 3-Jul-2014 09:01
Send private message

can you install iftop on the box ? it may help you see what is generating the traffic.


http://www.ex-parrot.com/pdw/iftop/



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079123 3-Jul-2014 09:07
Send private message

I can try.

I had 17Mb of traffic on my fusion account overnight even though I have disabled the truenet probe ( no checking ) so have no idea of what is consuming traffic.

But it has changed.  Before it was upload = 1/2 the downloads, and today, upload = 10x downloads.


 
 
 
 


25664 posts

Uber Geek
+1 received by user: 5412

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1079129 3-Jul-2014 09:13
Send private message

What other ports are open? 10x sounds like a DNS or NTP amplification attack.





650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079199 3-Jul-2014 10:20
Send private message



I ran iftop and got the above ... that 62.210.187.134 is in my iptables as being blocked so not sure why it is still showing traffic.

I don't recall as having opened any other ports apart from 5060 but could try an external port probe to see what's open.



266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079201 3-Jul-2014 10:25
Send private message

Now try a tcpdump for that host only and see if you can decipher what the traffic is

tcpdump -i eth0 -nnnvvvSs 0 host 62.210.187.134



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079208 3-Jul-2014 10:34
Send private message

Will try that now.

It has been suggested to me that part of my outgoing traffic use is repeated playing of the 

 

'ss-noservice.gsm`

message to anonymous sip calls

266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079214 3-Jul-2014 10:42
Send private message

Does that mean that you are playing an IVR ? That would actually explain the upload data only

EDIT: Yeah i found that file online and listened to it. It's an IVR saying "the number you had dialed is not in service, please check the number and try again".
If possible, i'd rather change that behavior to sending your SIP gateway a sip message like "404 Not Found" instead and let them play the IVR to the far end instead.



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079231 3-Jul-2014 10:48
Send private message

10:34:54.808523 IP (tos 0x60, ttl 64, id 20697, offset 0, flags [none], proto UD
P (17), length 849)
192.168.1.180.5060 > 62.210.187.134.5080: [bad udp cksum 353!] SIP, length:
821
SIP/2.0 200 OK
Via: SIP/2.0/UDP 62.210.187.134:5080;branch=z9hG4bK-f5aed191fbc505051c48
f6f184923a21;received=62.210.187.134;rport=5080
From: 10001<sip:10001@58.28.152.22>;tag=25a31a60
To: 9060972595561294<sip:9060972595561294@58.28.152.22>;tag=as1a8156c8
Call-ID: f5aed191fbc505051c48f6f184923a21
CSeq: 1 INVITE
Server: FPBX-2.9.0(1.8.8.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
, PUBLISH
Supported: replaces, timer
Contact: <sip:9060972595561294@58.28.152.22:5060>
Content-Type: application/sdp
Content-Length: 258

v=0
o=root 214277164 214277164 IN IP4 58.28.152.22
s=Asterisk PBX 1.8.8.0
c=IN IP4 58.28.152.22
t=0 0
m=audio 11404 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

That's a sample of what I get from tcpdump



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079235 3-Jul-2014 10:52
Send private message

From: 10001<sip:10001@58.28.152.22>;tag=25a31a60
To: 9060972595561294<sip:9060972595561294@58.28.152.22>;tag=as1a8156c8

So, I don't understand why I see a WXC ip in this anonymous SIP call from France or where ever?
Or am I reading this all wrong?



266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079237 3-Jul-2014 10:56
Send private message

That is your external IP, these calls are not being handled by the WXC SIP Gateway (pan.wxnz.net) and are being placed directly to your Asterisk box which is playing back the .gsm audio file.

So I would go back to step1, try and block access to your PBX from all other ip addresses than the SIP gateway so that they cannot place these calls directly to your PBX.



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079238 3-Jul-2014 10:57
Send private message

Here's the first message from tcpdump:

10:38:59.926315 IP (tos 0x0, ttl 111, id 29952, offset 0, flags [none], proto UDP (17), length 795)
62.210.187.134.5070 > 192.168.1.180.5060: [udp sum ok] SIP, length: 767
INVITE sip:90060972595561294@58.28.152.22 SIP/2.0
To: 90060972595561294<sip:90060972595561294@58.28.152.22>
From: 10001<sip:10001@58.28.152.22>;tag=57da019d
Via: SIP/2.0/UDP 62.210.187.134:5070;branch=z9hG4bK-69ca466cab181a1529d61d41f5ac747f;rport
Call-ID: 69ca466cab181a1529d61d41f5ac747f
CSeq: 1 INVITE
Contact: <sip:10001@62.210.187.134:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 284

v=0
o=sipcli-Session 1617787993 291094220 IN IP4 62.210.187.134
s=sipcli
c=IN IP4 62.210.187.134
t=0 0
m=audio 5072 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079241 3-Jul-2014 11:01
Send private message

Ok, so I need to prevent this traffic at the ADSL modem/router level so it doesn't reach the Asterisk box.

Blocking the address at iptables for whatever reason is not working.




650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079261 3-Jul-2014 11:26
Send private message

Do NZ ISPs block traffic from malicious addresses as they used to do in the past?

http://www.blocklist.de/en/view.html?ip=62.210.187.134

266 posts

Ultimate Geek
+1 received by user: 26


  Reply # 1079304 3-Jul-2014 12:29
Send private message

I don't think that's going to solve the issue, you'll have the same problem next time with another IP address.
Have a look at the webinar posted in this thread as it may give you some extra ideas :)

http://www.geekzone.co.nz/forums.asp?forumid=65&topicid=65912


A
lso, according to this page fail2ban isn't that reliable for Asterisk

http://forums.asterisk.org/viewtopic.php?p=159984



650 posts

Ultimate Geek
+1 received by user: 10


  Reply # 1079325 3-Jul-2014 13:20
Send private message

I found this in my iptables

28 ACCEPT udp -- anywhere anywhere udp dpts:commplex-main:qcp

which I thought I removed last night, but it's back again. So, I've removed it again and saved iptables.
I've added explicit ACCEPTs for my VOIP providers, lan and vpn addresses.





1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08


Revera partners with Nyriad to deliver blockchain pilot to NZ Government
Posted 5-Dec-2017 20:01



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.