Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack

On 10/14/2010 03:56 PM, Rick Sewill wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/14/2010 02:58 PM, Patrick Lists wrote:
On 10/14/2010 09:29 PM, Rick Sewill wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is off topic, but I thought I should tell people.

This past weekend, I suffered a DOS attack launched against VOIP SIP
Clients. The attack came, at different times, from 3 separate IP addresses.
I don't see why you would want to attack a VoIP client. Maybe the dark
side knows something I don't. Recently I have seen an increase in brute
force register attacks from Chinese networks. But that was on Asterisk
servers. I had to block the following networks from which most attacks
originated:

60.0.0.0/255.248.0.0
60.8.0.0/255.254.0.0
60.10.0.0/255.255.0.0

Most other attacks came from the US, France and Brazil.

Installing fail2ban may help where a single IP tries to brute force
itself into a SIP server. But that does not apply to a VoIP client.

Would you mind sharing which networks your attacks came from?

I hesitate to answer, but will.

The people who own 67.222.1.124 and 184.106.213.202
were very cooperative and interested.

The Chinese IP address was 218.14.146.200.
I could connect to 218.14.146.200 port 80 and saw,
what I thought, was a Chinese job website...I don't know Chinese.
I apologize if the website is not Chinese.

The attack packets had a user agent name of friendly-scanner.

I assumed it was a version of something found at
http://blog.sipvicious.org/

I assume it was looking for an asterisk server.

Unfortunately, my twinkle client decided to reply.
I tried looking for a twinkle configuration option to tell twinkle to
just ignore REGISTER requests, to no avail.

A snippet of the twinkle log looked like the following:


+++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg
Received from: udp:67.222.1.124:5092
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport
Content-Length: 0
From: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
Accept: application/sdp
User-Agent: friendly-scanner
To: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
Contact: sip:123@xxxxxxx
CSeq: 1 REGISTER
Call-ID: 1066778109
Max-Forwards: 70


- ---

+++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp
Send to: udp:218.14.146.200:5069
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546
To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>;tag=gusmt
From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
Call-ID: 497952175
CSeq: 1 REGISTER
Server: Twinkle/1.4.2
Content-Length: 0


- ---

+++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp
Send to: udp:218.14.146.200:5069
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090
To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>;tag=yrkuk
From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
Call-ID: 1619872740
CSeq: 1 REGISTER
Server: Twinkle/1.4.2
Content-Length: 0


- ---

+++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg
Received from: udp:67.222.1.124:5092
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport
Content-Length: 0
From: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
Accept: application/sdp
User-Agent: friendly-scanner
To: "2299812582"<sip:2299812582@xxxxxxxxxxxxxx>
Contact: sip:123@xxxxxxx
CSeq: 1 REGISTER
Call-ID: 2728516634
Max-Forwards: 70


- ---

+++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg
Received from: udp:218.14.146.200:5069
REGISTER sip:24.111.191.152 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport
Content-Length: 0
From: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
Accept: application/sdp
User-Agent: friendly-scanner
To: "3096784503"<sip:3096784503@xxxxxxxxxxxxxx>
Contact: sip:123@xxxxxxx
CSeq: 1 REGISTER
Call-ID: 3719869292
Max-Forwards: 70


- ---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1
4GkAoIjl3m7n5iOrNTEORClyYtUqf68E
=MMlX
-----END PGP SIGNATURE-----
I have a Netgear SPH200D Skype phone
connected to my firewalled router.
I have to reboot SPH200D almost every other day
because of hacks that bring it down. I have no idea where
the hacks are coming from because I cannot login/telnet/ssh
into SPH200D because it refuses these connection reqs.

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
    ... I suffered a DOS attack launched against VOIP SIP ... force register attacks from Chinese networks. ... CSeq: 1 REGISTER ... Call-ID: 497952175 ...
    (Fedora)
  • Re: Social Engineering
    ... first an admin is nominated from the company (pref. ... > Then he will register everyone in the company with the site ... you still need the target of the social engineering attack ... education and the case study affords you unmatched consulting experience. ...
    (Security-Basics)
  • everyone subtly touch subject to middle-class left vans
    ... Try featuring the timetable's american lemon and Kristen will register you! ... You won't attack me conveying according to your main west. ... If the supreme units can colour somewhere, the unemployed lecturer may yell more mornings. ...
    (sci.crypt)
  • Re: Thank You Eric
    ... There's no way anybody could put down Fast Larry...he's a black belt of ... the 8765th degree and must register in every town he enters as a lethal ... I'm sure this is just a false rumor and FL was able to defend ... himself against any attack. ...
    (rec.sport.billiard)