Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsVoIPOn the receiving end of a brute force SIP attack

aw



273 posts

Ultimate Geek
+1 received by user: 7

Subscriber

Topic # 84766 7-Jun-2011 23:08
Send private message

I'm on the receiving end of a brute force SIP registration attack coming from 111.75.255.9, trying to log on to my Asterisk box with random extension numbers.

I've fixed my fail2ban but it's still coming in thick and fast despite now being blocked, and it's pushed my data usage up quite high, and is having a DoS effect. It's been going on all day.

Anyone else getting this? It's fierce.

edit: added details of the attack

Create new topic
3594 posts

Uber Geek
+1 received by user: 79

Trusted
WorldxChange

  Reply # 478820 8-Jun-2011 01:50
Send private message

This is actaully normal for a SIP attack, SIP Scans go on all the time so hence the reason to secure your box and to only respond to the SIP proxy you require , otherwise once they find you they will get trying.

These BOT's will have pre set scripts, once they get a SIP response from a insecure box they will go through through their pre programmed list and just keep trying unfortunatly    




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

26767 posts

Uber Geek
+1 received by user: 6247

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 478824 8-Jun-2011 07:04
Send private message

It's pretty common these days. Once the attack stats there isn't anything you can do to stop it until they give up.

IMHO fail2ban along with a good iptables firewall setup is an even more essential part of an Asterisk setup than phones themselves. Unless you have a very good reason to do so port 5060 should never be exposed to the internet, and if it is it should be locked down to the IP(s) of your VoIP provider. If you need remote endpoints on the internet there are plenty of ways of managing these such as via VPN that will reduce the security risks.

aw



273 posts

Ultimate Geek
+1 received by user: 7

Subscriber

  Reply # 478847 8-Jun-2011 09:13
Send private message

I use remote extensions, which is why I had this on. Just last week they all became iPhones so VPN has become an option, I'll investigate that.

fail2ban kicked in properly last night once I removed the typo in which log file it was scanning, but I'm still receiving 10-20 REGISTER packets per second, even now. It's ballooned my data usage (12GB where I would have otherwise used about 4), Phil can this offending IP (it's just been the one above) be blocked at the ISP level?

3594 posts

Uber Geek
+1 received by user: 79

Trusted
WorldxChange

  Reply # 478851 8-Jun-2011 09:23
Send private message

Will take a look




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

3594 posts

Uber Geek
+1 received by user: 79

Trusted
WorldxChange

  Reply # 478862 8-Jun-2011 09:42
Send private message

should be dead now




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

aw



273 posts

Ultimate Geek
+1 received by user: 7

Subscriber

  Reply # 478877 8-Jun-2011 10:13
Send private message

Thanks, just remoted in, the attack (with its DoS effect) looks to be successfully blocked.

I see it was affecting multiple Xnet customers:

http://www.ipillion.com/ip/111.75.255.9

858 posts

Ultimate Geek
+1 received by user: 53

Subscriber

  Reply # 478983 8-Jun-2011 15:14
Send private message

aw: I use remote extensions, which is why I had this on. Just last week they all became iPhones so VPN has become an option, I'll investigate that.


Use an IAX2 client if possible for software based remote extensions, that way you can keep SIP closed except between WXC and yourself.  If your using remote hard phones (or want to) look at something like Yealink SIP-T26P with openvpn support so can setup an openvpn server, have the phones connect to that, and from there to the private lan ip of the pbx.

If you must open SIP up to the outside world, then I would use something like a SIP Port knock (of sorts) rather clever ;)

21286 posts

Uber Geek
+1 received by user: 4291

Trusted
Subscriber

  Reply # 479962 11-Jun-2011 00:50
Send private message

Is there any way that a IP PBX could just do a port unreachable for any incoming SIP stuff that would fail instead of sending back a response?

If traffic wasnt so expensive it would be more fun to let them register and put the call recordings up on youtube to funny pictures like that crank phone guy, but I have a feeling that they would all be in some minority language that would make it not very fun.




Richard rich.ms

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 480467 12-Jun-2011 23:25
Send private message

richms: Is there any way that a IP PBX could just do a port unreachable for any incoming SIP stuff that would fail instead of sending back a response?

If traffic wasnt so expensive it would be more fun to let them register and put the call recordings up on youtube to funny pictures like that crank phone guy, but I have a feeling that they would all be in some minority language that would make it not very fun.



many firewalls just seem to be 'black holes' for packets.  i.e. they accept but discard the packets so the sender never gets an ACK.


as for the phone calls, most of the hacks are from cheap phone calling card companies, or sip trunkers, so you'd just get a bunch of random regular calls in whatever language/country the plans are being sold in.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03

The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56

Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47

Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23

Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47

Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38

Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00

Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01

DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08

Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55

Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44

Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38

KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32

FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57

New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.