[ale] SIP attack

Paul Cartwright ale at pcartwright.com
Thu Oct 14 19:05:16 EDT 2010


On Thu October 14 2010, Chuck Payne wrote:
> Can you give me the ip's so I can block them on my firewall. Thanks.


from the fedora list:
> I don't see why you would want to attack a VoIP client. Maybe the dark
> side knows something I don't. Recently I have seen an increase in brute
> force register attacks from Chinese networks. But that was on Asterisk
> servers. I had to block the following networks from which most attacks
> originated:
>
> 60.0.0.0/255.248.0.0
> 60.8.0.0/255.254.0.0
> 60.10.0.0/255.255.0.0
>
> Most other attacks came from the US, France and Brazil.
>
> Installing fail2ban may help where a single IP tries to brute force
> itself into a SIP server. But that does not apply to a VoIP client.
>
> Would you mind sharing which networks your attacks came from?
>

I hesitate to answer, but will.

The people who own 67.222.1.124 and 184.106.213.202
were very cooperative and interested.

The Chinese IP address was 218.14.146.200.
I could connect to 218.14.146.200 port 80 and saw,
what I thought, was a Chinese job website...I don't know Chinese.
I apologize if the website is not Chinese.

The attack packets had a user agent name of friendly-scanner.

I assumed it was a version of something found at
http://blog.sipvicious.org/

I assume it was looking for an asterisk server.

Unfortunately, my twinkle client decided to reply.
I tried looking for a twinkle configuration option to tell twinkle to
just ignore REGISTER requests, to no avail.

A snippet of the twinkle log looked like the following:


+++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg
Received from: udp:67.222.1.124:5092
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport
Content-Length: 0
From: "2299812582" <sip:2299812582 at 24.111.191.152>
Accept: application/sdp
User-Agent: friendly-scanner
To: "2299812582" <sip:2299812582 at 24.111.191.152>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 1066778109
Max-Forwards: 70


---

+++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp
Send to: udp:218.14.146.200:5069
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546
To: "3096784503" <sip:3096784503 at 24.111.191.152>;tag=gusmt
From: "3096784503" <sip:3096784503 at 24.111.191.152>
Call-ID: 497952175
CSeq: 1 REGISTER
Server: Twinkle/1.4.2
Content-Length: 0


---

+++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp
Send to: udp:218.14.146.200:5069
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090
To: "3096784503" <sip:3096784503 at 24.111.191.152>;tag=yrkuk
From: "3096784503" <sip:3096784503 at 24.111.191.152>
Call-ID: 1619872740
CSeq: 1 REGISTER
Server: Twinkle/1.4.2
Content-Length: 0


---

+++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg
Received from: udp:67.222.1.124:5092
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport
Content-Length: 0
From: "2299812582" <sip:2299812582 at 24.111.191.152>
Accept: application/sdp
User-Agent: friendly-scanner
To: "2299812582" <sip:2299812582 at 24.111.191.152>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 2728516634
Max-Forwards: 70


---

+++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg
Received from: udp:218.14.146.200:5069
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport
Content-Length: 0
From: "3096784503" <sip:3096784503 at 24.111.191.152>
Accept: application/sdp
User-Agent: friendly-scanner
To: "3096784503" <sip:3096784503 at 24.111.191.152>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3719869292
Max-Forwards: 70


-- 
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459
http://usdebtclock.org/


More information about the Ale mailing list