2010-04-19 Lots of SIP attacks lately (stuff which ... 10 years ago
Lots of SIP attacks lately (stuff which goes on even when I'm more interested in IPv6). First near-standard SIP registration attacks from Amazon EC2, also seen by one of my asterisk installs:[Apr 10 16:40:30] NOTICE chan_sip.c: Registration from '"02"<sip:firstname.lastname@example.org>' failed for '126.96.36.199' - No matching peer found [Apr 10 16:40:30] NOTICE chan_sip.c: Registration from '"03"<sip:email@example.com>' failed for '188.8.131.52' - No matching peer foundMy system wasn't the only one attacked, I saw reports everywhere, including: Amazon EC2 SIP Brute Force Attacks on Rise - VoIP Tech Chat , Amazon EC2 Flood Attacks from the Cloud - VoIP Users Conference, SIP Attacks From Amazon EC2 Going Unaddressed - SlashDot IT and SIP Brute Force Attack Originating From Amazon EC2 Hosts - Stuart Sheldon.
I changed /etc/asterisk/sip.conf to include alwaysauthreject = yes which makes SIP account enumeration impossible: the attacker can't see the difference between 'account does not exist' or 'password not valid'. This violates the SIP rfc but makes attacks a lot harder.
A lot of the articles above give one answer: Amazon EC2 network abuse does not care. Which immediately degrades the 'standing' of their network. You don't care about attacks originating from your network means lots of people won't care about anything originating from your network.