[asterisk-dev] SIP now target of botnets?

Paul Belanger pabelanger at digium.com
Tue Oct 11 12:51:52 CDT 2011


On 11-10-11 12:29 PM, Kevin P. Fleming wrote:
> On 10/11/2011 11:22 AM, Philip Prindeville wrote:
>> On 10/10/11 11:43 AM, Kevin P. Fleming wrote:
>>> On 10/10/2011 12:40 PM, Philip Prindeville wrote:
>>>> Going through my logs this morning, I saw:
>>>>
>>>> Oct 9 02:58:22 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (75.125.238.10:5060) to extension '23271281566230' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:23 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (125.198.4.61:5060) to extension '00442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:23 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (95.131.86.102:5060) to extension '000442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:24 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (18.34.95.140:5060) to extension '0000442035199439' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:25 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (81.30.133.230:5060) to extension '0442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:26 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (44.180.13.28:5060) to extension '+00442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:28 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (44.221.65.188:5060) to extension '900442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:30 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (69.178.122.254:5060) to extension '9000442035199440' rejected
>>>> because extension not found in context 'INVALID'.
>>>> Oct 9 02:58:31 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (80.220.25.136:5060) to extension '+900442035199439' rejected
>>>> because extension not found in context 'INVALID'.
>>>> Oct 9 02:58:32 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (125.199.62.179:5060) to extension '*442035199439' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:33 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (118.29.80.113:5060) to extension '+442035199439' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:37 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (50.73.196.71:5060) to extension '+011442035199439' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:39 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (112.228.186.231:5060) to extension '+9011442035199440' rejected
>>>> because extension not found in context 'INVALID'.
>>>> Oct 9 02:58:41 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (121.131.152.7:5060) to extension '+0011442035199439' rejected
>>>> because extension not found in context 'INVALID'.
>>>> Oct 9 02:58:45 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (58.248.230.53:5060) to extension '4011442035199440' rejected
>>>> because extension not found in context 'INVALID'.
>>>> Oct 9 02:58:46 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (126.139.168.191:5060) to extension '5011442035199439' rejected
>>>> because extension not found in context 'INVALID'.
>>>> Oct 9 02:58:47 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (44.81.91.190:5060) to extension '6011442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:49 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (41.213.16.40:5060) to extension '8011442035199440' rejected because
>>>> extension not found in context 'INVALID'.
>>>> Oct 9 02:58:52 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>> (115.194.189.56:5060) to extension '442035199439' rejected because
>>>> extension not found in context 'INVALID'.
>>>>
>>>>
>>>> interesting that within seconds, I got a bunch of attacks for the
>>>> same groups of numbers, from machines in multiple different countries.
>>>>
>>>> My conclusion is that SIP is now one of the attack surfaces of
>>>> botnets, and not just lone hackers looking for free phone service.
>>>>
>>>> Anyone else seeing this?
>>>
>>> Is this a development question? If not, please move it to
>>> asterisk-users, where the population of people that will see it and
>>> could respond will also be substantially higher.
>>
>> Well, I was just wondering if it means that we'll need to add more
>> access controls, revisit logging, maybe add a rate-limiting mechanism
>> for unconfigured/unauthenticated connections, etc.
>
> If that's what you were asking, you did a good job of hiding it in your
> original post :-)
>
> It's unlikely that any changes will be necessary in Asterisk to allow
> you to deal with this sort of attack; as you can see, Asterisk is
> already logging the attempts. There are existing tools (fail2ban and
> others) than can be used to watch the Asterisk logs and take action
> based on policies you define.
>
> As we've said on this list (and asterisk-users) before, Asterisk is not
> a firewall, just like Apache HTTPD is not a firewall, Postfix is not a
> firewall, and lots of other applications are not firewalls. The
> applications can tell you about the activities that are occurring;
> deciding whether they are worthy of mitigation is up to you, using some
> tool(s) outside of the application.
>
Well said!  I am contently surprised how many people will not firewall 
their asterisk boxes. 99% of the time this will prevent a SIP or <insert 
protocol of choice> attack.

> In this particular case, taking any action at all is going to be tough,
> as it appears that each of these call attempts was made (or spoofed)
> from a different source IP.
>

-- 
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org



More information about the asterisk-dev mailing list