Just got in and noticed that the adsl li ... / 2010-05-22

Koos van den Hout

2010-05-22 Just got in and noticed that the adsl li ... 10 years ago
Just got in and noticed that the adsl link was particularly s-l-o-w. A tcpdump showed that there was a SIP brute-force attack going on, and with the wondershaper settings this was filling the ADSL upstream to the maximum. In the asterisk logs: 
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"607589258"<sip:607589258@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"2737039014"<sip:2737039014@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"hello"<sip:hello@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"ranger"<sip:ranger@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"shadow"<sip:shadow@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"baseball"<sip:baseball@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"donald"<sip:donald@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"harley"<sip:harley@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"hockey"<sip:hockey@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 14:49:08] NOTICE[11238] chan_sip.c: Registration from '"letmein"<sip:letmein@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found

[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
[May 22 17:46:24] NOTICE[11238] chan_sip.c: Registration from '"active" <sip:active@xx.xx.xx.xx>' failed for '193.55.30.2' - No matching peer found
For a total of 284970 attempts. Then I updated the firewall to block this. And send out an abuse report to the ISP.

With tshark the attacks look like: 

Session Initiation Protocol
    Request-Line: REGISTER sip:xx.xx.xx.xx SIP/2.0
        Method: REGISTER
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP 127.0.0.1:5091;branch=z9hG4bK-1064873464;rport
            Transport: UDP
            Sent-by Address: 127.0.0.1
            Sent-by port: 5091
            Branch: z9hG4bK-1064873464
            RPort: rport
        Content-Length: 0
        From: "instruct" <sip:instruct@xx.xx.xx.xx>
            SIP Display info: "instruct" 
            SIP from address: sip:instruct@xx.xx.xx.xx
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "instruct" <sip:instruct@xx.xx.xx.xx>
            SIP Display info: "instruct" 
            SIP to address: sip:instruct@xx.xx.xx.xx
        Contact: sip:123@1.1.1.1
            Contact Binding: sip:123@1.1.1.1
                URI: sip:123@1.1.1.1\r
                    SIP contact address: sip:123@1.1.1.1\r
        CSeq: 1 REGISTER
            Sequence Number: 1
            Method: REGISTER
        Call-ID: 3859238695
        Max-Forwards: 70
Tags: , , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004418 seconds.