[asterisk-users] My Switch is being attacked using sip scanner tool (Service Abuse Attack)
Gareth Blades
list-asterisk at skycomuk.com
Thu Jul 22 05:39:25 CDT 2010
Have a look at fail2ban
mosbah abdelkader wrote:
> An attacker is scanning my Asterisk Switch to gain illegitimate access
> to VoIP call functionality.
>
>
> Using a sip scanning tool, *it* sends REGISTERs with random identities.
> And when it discovers one identity subscribed in my switch, it tries to
> authenticate with random passwords using this user name.
>
>
> For the moment, I have replaced this account. And also blocked the IP it
> has used but each time it tries to use another IP to scan again.
>
>
> Following is a sample REGISTER request sent by it to my switch (I have
> hidden some info).
>
>
> REGISTER sip:xx.xx.xx.xx SIP/2.0
> *Via: SIP/2.0/UDP 127.0.1.1:5061;branch=xxxxxxxxx**-xxxxxxxxx**;rport*
> Content-Length: 0
> From: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx>
> Accept: application/sdp
> *User-Agent: friendly-scanner*
> To: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx>
> *Contact: sip:123 at 1.1.1.1 <mailto:sip%3A123 at 1.1.1.1>*
> CSeq: 1 REGISTER
> Call-ID: 4244603463
> Max-Forwards: 70
>
>
>
>
> Please help me resolve this problem.
>
More information about the asterisk-users
mailing list