2010-05-22
Just got in and noticed that the adsl li ...
Just got in and noticed that the adsl link was particularly s-l-o-w. A tcpdump showed that there was a SIP brute-force attack going on, and with the wondershaper settings this was filling the ADSL upstream to the maximum. In the asterisk logs:[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"607589258"<sip:607589258@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"2737039014"<sip:2737039014@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"hello"<sip:hello@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"ranger"<sip:ranger@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"shadow"<sip:shadow@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"baseball"<sip:baseball@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"donald"<sip:donald@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"harley"<sip:harley@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"hockey"<sip:hockey@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"letmein"<sip:letmein@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found [May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer foundFor a total of 284970 attempts. Then I updated the firewall to block this. And send out an abuse report to the ISP.With tshark the attacks look like:
Session Initiation Protocol Request-Line: REGISTER sip:xx.xx.xx.xx SIP/2.0 Method: REGISTER [Resent Packet: False] Message Header Via: SIP/2.0/UDP 127.0.0.1:5091;branch=z9hG4bK-1064873464;rport Transport: UDP Sent-by Address: 127.0.0.1 Sent-by port: 5091 Branch: z9hG4bK-1064873464 RPort: rport Content-Length: 0 From: "instruct" <sip:instruct@xx.xx.xx.xx> SIP Display info: "instruct" SIP from address: sip:instruct@xx.xx.xx.xx Accept: application/sdp User-Agent: friendly-scanner To: "instruct" <sip:instruct@xx.xx.xx.xx> SIP Display info: "instruct" SIP to address: sip:instruct@xx.xx.xx.xx Contact: sip:123@1.1.1.1 Contact Binding: sip:123@1.1.1.1 URI: sip:123@1.1.1.1\r SIP contact address: sip:123@1.1.1.1\r CSeq: 1 REGISTER Sequence Number: 1 Method: REGISTER Call-ID: 3859238695 Max-Forwards: 70