[AusNOG] VoIP Hack Attempts
Chris Keladis
ckeladis at gmail.com
Tue Sep 28 05:24:42 EST 2010
On Tue, Sep 28, 2010 at 12:13 AM, Skeeve Stevens <Skeeve at eintellego.net> wrote:
> I’ve got a few customers who have noticed a large recent jump in SIP scans
> against their networks.
Hey Skeeve,
Sounds like your customers are being hit by the recent uptick in SIP
scanning, this was covered by SANS ISC diary here:
http://isc.sans.edu/diary.html?storyid=9193
Also..
http://isc.sans.edu/diary.html?storyid=8641
One idea for handling the flood..
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/
You could use the same logic and add more smarts to the script
mentioned above to say something like, if n>failed-registration-limit
then add IP to blocklist, or simply do it from the PBX logs.
SIPVicious was at one time used to do the scanning. The author
includes a script to "crash" the remote scanning instance (haven't
tested it myself..)
http://blog.sipvicious.org/2010/06/how-to-crash-sipvicious-introducing.html
We could also take a leaf out of the SSH scanning book, and change the
SIP ports your customers use.
On an open system, from a network-operators perspective, i'm not sure
much can be done without impacting call quality/availability, this
will have to be done on the customer/SIP-server level.
Anyway, food for thought...
Cheers,
Chris.
More information about the AusNOG
mailing list