[asterisk-dev] SIP now target of botnets?

Kevin P. Fleming kpfleming at digium.com
Tue Oct 11 11:29:32 CDT 2011 

On 10/11/2011 11:22 AM, Philip Prindeville wrote:
> On 10/10/11 11:43 AM, Kevin P. Fleming wrote:
>> On 10/10/2011 12:40 PM, Philip Prindeville wrote:
>>> Going through my logs this morning, I saw:
>>>
>>> Oct  9 02:58:22 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (75.125.238.10:5060) to extension '23271281566230' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:23 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (125.198.4.61:5060) to extension '00442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:23 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (95.131.86.102:5060) to extension '000442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:24 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (18.34.95.140:5060) to extension '0000442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:25 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (81.30.133.230:5060) to extension '0442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:26 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (44.180.13.28:5060) to extension '+00442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:28 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (44.221.65.188:5060) to extension '900442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:30 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (69.178.122.254:5060) to extension '9000442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:31 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (80.220.25.136:5060) to extension '+900442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:32 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (125.199.62.179:5060) to extension '*442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:33 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (118.29.80.113:5060) to extension '+442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:37 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (50.73.196.71:5060) to extension '+011442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:39 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (112.228.186.231:5060) to extension '+9011442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:41 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (121.131.152.7:5060) to extension '+0011442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:45 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (58.248.230.53:5060) to extension '4011442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:46 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (126.139.168.191:5060) to extension '5011442035199439' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:47 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (44.81.91.190:5060) to extension '6011442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:49 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (41.213.16.40:5060) to extension '8011442035199440' rejected because extension not found in context 'INVALID'.
>>> Oct  9 02:58:52 pbx local0.notice asterisk[29752]: NOTICE[29780]: chan_sip.c:22109 in handle_request_invite: Call from '' (115.194.189.56:5060) to extension '442035199439' rejected because extension not found in context 'INVALID'.
>>>
>>>
>>> interesting that within seconds, I got a bunch of attacks for the same groups of numbers, from machines in multiple different countries.
>>>
>>> My conclusion is that SIP is now one of the attack surfaces of botnets, and not just lone hackers looking for free phone service.
>>>
>>> Anyone else seeing this?
>>
>> Is this a development question? If not, please move it to
>> asterisk-users, where the population of people that will see it and
>> could respond will also be substantially higher.
>
> Well, I was just wondering if it means that we'll need to add more access controls, revisit logging, maybe add a rate-limiting mechanism for unconfigured/unauthenticated connections, etc.

If that's what you were asking, you did a good job of hiding it in your 
original post :-)

It's unlikely that any changes will be necessary in Asterisk to allow 
you to deal with this sort of attack; as you can see, Asterisk is 
already logging the attempts. There are existing tools (fail2ban and 
others) than can be used to watch the Asterisk logs and take action 
based on policies you define.

As we've said on this list (and asterisk-users) before, Asterisk is not 
a firewall, just like Apache HTTPD is not a firewall, Postfix is not a 
firewall, and lots of other applications are not firewalls. The 
applications can tell you about the activities that are occurring; 
deciding whether they are worthy of mitigation is up to you, using some 
tool(s) outside of the application.

In this particular case, taking any action at all is going to be tough, 
as it appears that each of these call attempts was made (or spoofed) 
from a different source IP.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

More information about the asterisk-dev mailing list