2010-10-26
And another asterisk SIP scan flood. It ...
And another asterisk SIP scan flood. It seems 213.77.26.82 also runs an old version svcrack, given the timing:9.001251 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.006190 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.011838 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.016725 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.021696 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.027144 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.032294 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.037223 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.042141 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.047801 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.052514 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.pp 9.057900 213.77.26.82 -> mm.nn.oo.pp SIP Request: REGISTER sip:mm.nn.oo.ppThe left column is in seconds, so that is 0.06 seconds worth of traffic.A bit of tcpdumping and an attempt with svcrash later it seems this is not the old version of the svcrack script as certain headers are updated (no more 1.1.1.1 IP address).. and the crash trick does not work. From the packet capture:
Session Initiation Protocol Request-Line: REGISTER sip:mm.nn.oo.pp SIP/2.0 Method: REGISTER [Resent Packet: False] Message Header Via: SIP/2.0/UDP 213.77.26.82:5131;branch=z9hG4bK-1864113917;rport Transport: UDP Sent-by Address: 213.77.26.82 Sent-by port: 5131 Branch: z9hG4bK-1864113917 RPort: rport Content-Length: 0 From: "3992603480" <sip:3992603480@mm.nn.oo.pp> SIP Display info: "3992603480" SIP from address: sip:3992603480@mm.nn.oo.pp Accept: application/sdp User-Agent: friendly-scanner To: "3992603480" >sip:3992603480@mm.nn.oo.pp> SIP Display info: "3992603480" SIP to address: sip:3992603480@mm.nn.oo.pp Contact: sip:123@213.77.26.82:5131 Contact Binding: sip:123@213.77.26.82:5131 URI: sip:123@213.77.26.82:5131\r SIP contact address: sip:123@213.77.26.82:5131\r CSeq: 1 REGISTER Sequence Number: 1 Method: REGISTER Call-ID: 3252836054 Max-Forwards: 70I notified the abuse address for tpnet.pl, let's see what that does.
Update: Well, the flood of SIP packets from 213.77.26.82 stopped. 7484510 attack packets stopped by fail2ban rule.