[asterisk-users] Being attacked by an Amazon EC2 ...
Norbert Zawodsky
norbert at zawodsky.at
Sun Apr 11 08:33:50 CDT 2010
Hello to everyone!
Same here (Vienna, Austria).
I had this attack yesterday 6am (local time) from IP 216.105.128.63
whois 216.105.128.63 returns:
OrgName: Globalvision
OrgID: ACSIN-3
Address: 78 Global Drive
Address: Suite 101
City: Greenville
StateProv: SC
PostalCode: 29607
Country: US
NetRange: 216.105.128.0 - 216.105.159.255
CIDR: 216.105.128.0/19
NetName: ACSINC-BLK-1
NetHandle: NET-216-105-128-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ACSINC.NET
NameServer: NS2.ACSINC.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-10-19
Updated: 2004-12-08
OrgTechHandle: HOSTM560-ARIN
OrgTechName: Hostmaster
OrgTechPhone: +1-864-467-1333
OrgTechEmail: hostmaster at acsinc.net
In my case, the attack started at 05:57:45.
Asterisk: 1.2.12.1
They sent 14.288 Register requests trying some "common" users like
"test,admin,sip,user,123,1234," and so on.
Then they started just counting up from user "0"
(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,.....) and this way, they found
valid users until 05:59:09 which is 1 minute and 24 seconds or 170
Registers/second
After that, they started to send 66.267 registers until 06:24:08 only
with the "found" users with random password combinations. 66.267 reg /
1.499 seconds = 44 regs/second
A classic "brute force attack". Interesting that the password attacks
came slower than the userid attacks...
At 6:24:23 asterisk obviously crashed because there wered no more log
entries. I noticed the incident because my office phone number was not
reachable when I tried in the morning.
My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress
range. I wonder if everything would become a little bit more secure if
define them with "host=192.168.X.X" in sip.conf instead of
"host=dynamic". I tried it as a quick shot but it didn't work as they
still try to register. Does someone know if this was possible and
where/how to configure it on the snom side?
greetings,
Norbert
More information about the asterisk-users
mailing list