[AusNOG] VoIP Hack Attempts

Skeeve Stevens Skeeve at eintellego.net
Tue Sep 28 07:27:49 EST 2010


Hey Chris,

I particularly like your suggestion to change the SIP port.  I will put it to the VoIP guys and see what they think the impact of that will be.  Surely as they have to setup the device itself, specifying the port should be trivial.

Also, thank you others... clearly we've got a serious situation going on that needs some sort of answers.


...Skeeve

--
Skeeve Stevens, CEO
eintellego Pty Ltd - The Networking Specialists
skeeve at eintellego.net / www.eintellego.net
Phone: 1300 753 383, Fax: (+612) 8572 9954
Cell +61 (0)414 753 383 / skype://skeeve
www.linkedin.com/in/skeeve ; facebook.com/eintellego
--
eintellego - The Experts that the Experts call
- Juniper - HP Networking - CIsco - Arista -


> -----Original Message-----
> From: Chris Keladis [mailto:ckeladis at gmail.com]
> Sent: Tuesday, 28 September 2010 5:25 AM
> To: Skeeve Stevens
> Cc: ausnog at ausnog.net List
> Subject: Re: [AusNOG] VoIP Hack Attempts
> 
> On Tue, Sep 28, 2010 at 12:13 AM, Skeeve Stevens
> <Skeeve at eintellego.net> wrote:
> 
> > I’ve got a few customers who have noticed a large recent jump in SIP
> scans
> > against their networks.
> 
> Hey Skeeve,
> 
> Sounds like your customers are being hit by the recent uptick in SIP
> scanning, this was covered by SANS ISC diary here:
> 
> http://isc.sans.edu/diary.html?storyid=9193
> 
> Also..
> 
> http://isc.sans.edu/diary.html?storyid=8641
> 
> One idea for handling the flood..
> 
> http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/
> 
> You could use the same logic and add more smarts to the script
> mentioned above to say something like, if n>failed-registration-limit
> then add IP to blocklist, or simply do it from the PBX logs.
> 
> SIPVicious was at one time used to do the scanning. The author
> includes a script to "crash" the remote scanning instance (haven't
> tested it myself..)
> 
> http://blog.sipvicious.org/2010/06/how-to-crash-sipvicious-
> introducing.html
> 
> We could also take a leaf out of the SSH scanning book, and change the
> SIP ports your customers use.
> 
> On an open system, from a network-operators perspective, i'm not sure
> much can be done without impacting call quality/availability, this
> will have to be done on the customer/SIP-server level.
> 
> 
> Anyway, food for thought...
> 
> 
> 
> Cheers,
> 
> Chris.


More information about the AusNOG mailing list