[asterisk-dev] SIP now target of botnets?

Paul Belanger pabelanger at digium.com
Tue Oct 11 12:54:20 CDT 2011 

On 11-10-11 01:51 PM, Paul Belanger wrote:
> On 11-10-11 12:29 PM, Kevin P. Fleming wrote:
>> On 10/11/2011 11:22 AM, Philip Prindeville wrote:
>>> On 10/10/11 11:43 AM, Kevin P. Fleming wrote:
>>>> On 10/10/2011 12:40 PM, Philip Prindeville wrote:
>>>>> Going through my logs this morning, I saw:
>>>>>
>>>>> Oct 9 02:58:22 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (75.125.238.10:5060) to extension '23271281566230' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:23 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (125.198.4.61:5060) to extension '00442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:23 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (95.131.86.102:5060) to extension '000442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:24 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (18.34.95.140:5060) to extension '0000442035199439' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:25 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (81.30.133.230:5060) to extension '0442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:26 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (44.180.13.28:5060) to extension '+00442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:28 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (44.221.65.188:5060) to extension '900442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:30 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (69.178.122.254:5060) to extension '9000442035199440' rejected
>>>>> because extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:31 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (80.220.25.136:5060) to extension '+900442035199439' rejected
>>>>> because extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:32 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (125.199.62.179:5060) to extension '*442035199439' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:33 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (118.29.80.113:5060) to extension '+442035199439' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:37 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (50.73.196.71:5060) to extension '+011442035199439' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:39 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (112.228.186.231:5060) to extension '+9011442035199440' rejected
>>>>> because extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:41 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (121.131.152.7:5060) to extension '+0011442035199439' rejected
>>>>> because extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:45 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (58.248.230.53:5060) to extension '4011442035199440' rejected
>>>>> because extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:46 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (126.139.168.191:5060) to extension '5011442035199439' rejected
>>>>> because extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:47 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (44.81.91.190:5060) to extension '6011442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:49 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (41.213.16.40:5060) to extension '8011442035199440' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>> Oct 9 02:58:52 pbx local0.notice asterisk[29752]: NOTICE[29780]:
>>>>> chan_sip.c:22109 in handle_request_invite: Call from ''
>>>>> (115.194.189.56:5060) to extension '442035199439' rejected because
>>>>> extension not found in context 'INVALID'.
>>>>>
>>>>>
>>>>> interesting that within seconds, I got a bunch of attacks for the
>>>>> same groups of numbers, from machines in multiple different countries.
>>>>>
>>>>> My conclusion is that SIP is now one of the attack surfaces of
>>>>> botnets, and not just lone hackers looking for free phone service.
>>>>>
>>>>> Anyone else seeing this?
>>>>
>>>> Is this a development question? If not, please move it to
>>>> asterisk-users, where the population of people that will see it and
>>>> could respond will also be substantially higher.
>>>
>>> Well, I was just wondering if it means that we'll need to add more
>>> access controls, revisit logging, maybe add a rate-limiting mechanism
>>> for unconfigured/unauthenticated connections, etc.
>>
>> If that's what you were asking, you did a good job of hiding it in your
>> original post :-)
>>
>> It's unlikely that any changes will be necessary in Asterisk to allow
>> you to deal with this sort of attack; as you can see, Asterisk is
>> already logging the attempts. There are existing tools (fail2ban and
>> others) than can be used to watch the Asterisk logs and take action
>> based on policies you define.
>>
>> As we've said on this list (and asterisk-users) before, Asterisk is not
>> a firewall, just like Apache HTTPD is not a firewall, Postfix is not a
>> firewall, and lots of other applications are not firewalls. The
>> applications can tell you about the activities that are occurring;
>> deciding whether they are worthy of mitigation is up to you, using some
>> tool(s) outside of the application.
>>
> Well said! I am contently surprised how many people will not firewall
> their asterisk boxes. 99% of the time this will prevent a SIP or <insert
> protocol of choice> attack.
>
s/contently/consistently/

>> In this particular case, taking any action at all is going to be tough,
>> as it appears that each of these call attempts was made (or spoofed)
>> from a different source IP.
>>
>

-- 
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org

More information about the asterisk-dev mailing list