[asterisk-users] Is this a DDoS to reach Asterisk?

Lyle Giese lyle at lcrcomputer.net
Mon Nov 8 21:44:17 CST 2010 

Welcome to the Internet!

It's a fact of life when having equipment connected to the Internet. The
script kiddies are always probing and trying.

Lyle

Bruce B wrote:
> And that's the problem. There is no such service running or such port
> is not open. They only keep trying this for no reason. It might cost
> us bandwidth for no reason. In fact there is no open ports on our
> network whatsoever.
>
> Thanks
>
> On Mon, Nov 8, 2010 at 9:50 PM, Lyle Giese <lyle at lcrcomputer.net
> <mailto:lyle at lcrcomputer.net>> wrote:
>
>     Bruce B wrote:
>>     Hi Everyone,
>>
>>     I have pfSense running which supplies Asterisk with DHCP. I had
>>     some testing ports opened for a web server which I have totally
>>     closed now but when I chose option 10 (filter log) on pfSense I
>>     get all of this type of traffic (note that it was only 1 single
>>     IP and once I blocked that one it was like opening a can full of
>>     bees with all different IPs):
>>
>>
>>
>>     tcpdump: WARNING: pflog0: no IPv4 address assigned
>>     tcpdump: verbose output suppressed, use -v or -vv for full
>>     protocol decode
>>     listening on pflog0, link-type PFLOG (OpenBSD pflog file),
>>     capture size 96 bytes
>>     000000 rule 70/0(match): block in on vr1: 221.132.34.165.33556 >
>>     69.90.78.53.52229:  tcp 20 [bad hdr length 0 - too short, < 20]
>>     6. 239658 rule 70/0(match): block in on vr1: 121.207.254.227.6667
>>     > 69.90.78.38.3072:  tcp 24 [bad hdr length 0 - too short, < 20]
>>     7. 986724 rule 70/0(match): block in on vr1: 61.231.237.223.4155
>>     > 69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     2. 867707 rule 70/0(match): block in on vr1: 61.231.237.223.4155
>>     > 69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     2. 799337 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
>>     69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     2. 931814 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
>>     69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     1. 574556 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
>>     69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     2. 956066 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
>>     69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     1. 598334 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
>>     69.90.78.42.445:  tcp 20 [bad hdr length 8 - too short, < 20]
>>     072759 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
>>     69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
>>     109451 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
>>     69.90.78.63.445:  tcp 28 [bad hdr length 0 - too short, < 20]
>>     2. 731065 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
>>     69.90.78.42.445:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     159413 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
>>     69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
>>     374293 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
>>     69.90.78.63.445:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     10. 234202 rule 70/0(match): block in on vr1: 189.105.69.200.2413
>>     > 69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
>>     2. 985558 rule 70/0(match): block in on vr1: 189.105.69.200.2413
>>     > 69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
>>     13. 236084 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
>>     69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     2. 982122 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
>>     69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     18. 493312 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
>>     69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     2. 477084 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
>>     69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     9. 777792 rule 70/0(match): block in on vr1: 121.243.16.214.1677
>>     > 69.90.78.54.445:  tcp 16 [bad hdr length 12 - too short, < 20]
>>     1. 216002 rule 70/0(match): block in on vr1: 172.168.0.4.1568 >
>>     69.90.78.49.445: [|tcp]
>>     321600 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
>>     69.90.78.55.445:  tcp 20 [bad hdr length 8 - too short, < 20]
>>     1. 383839 rule 70/0(match): block in on vr1: 121.243.16.214.1677
>>     > 69.90.78.54.445: [|tcp]
>>     1. 466115 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
>>     69.90.78.55.445: [|tcp]
>>     7. 977140 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
>>     69.90.78.36.445: [|tcp]
>>     2. 920013 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
>>     69.90.78.36.445: [|tcp]
>>     29. 032839 rule 70/0(match): block in on vr1: 201.168.49.13.1404
>>     > 69.90.78.55.445: [|tcp]
>>     2. 996906 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
>>     69.90.78.55.445: [|tcp]
>>     62. 079279 rule 70/0(match): block in on vr1: 82.165.131.28.6005
>>     > 69.90.78.47.1024: [|tcp]
>>     34. 224871 rule 67/0(match): block in on vr1: 77.34.234.241.1899
>>     > 69.90.78.43.445: [|tcp]
>>     3. 006367 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
>>     69.90.78.43.445: [|tcp]
>>     20. 274886 rule 67/0(match): block in on vr1: 66.211.120.62.1132
>>     > 69.90.78.55.445: [|tcp]
>>     2. 893859 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
>>     69.90.78.55.445: [|tcp]
>>     28. 739620 rule 67/0(match): block in on vr1:
>>     117.197.247.151.1042 > 69.90.78.55.445: [|tcp]
>>     2. 936286 rule 67/0(match): block in on vr1: 117.197.247.151.1042
>>     > 69.90.78.55.445: [|tcp]
>>     1. 207250 rule 67/0(match): block in on vr1:
>>     118.171.176.188.42965 > 69.90.78.43.445: [|tcp]
>>     3. 015370 rule 67/0(match): block in on vr1:
>>     118.171.176.188.42965 > 69.90.78.43.445: [|tcp]
>>     7. 088359 rule 67/0(match): block in on vr1: 61.130.103.10 >
>>     69.90.78.42 <http://69.90.78.42>: [|icmp]
>>     11. 825521 rule 67/0(match): block in on vr1: 71.100.221.211.4521
>>     > 69.90.78.33.445: [|tcp]
>>     2. 316564 rule 67/0(match): block in on vr1: 61.130.103.10 >
>>     69.90.78.42 <http://69.90.78.42>: [|icmp]
>>     626845 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
>>     69.90.78.33.445:  tcp 20 [bad hdr length 8 - too short, < 20]
>>     5. 041794 rule 67/0(match): block in on vr1: 95.224.51.107.1378 >
>>     69.90.78.48.1434: UDP, length 376
>>     8. 978999 rule 67/0(match): block in on vr1: 221.132.34.165.33556
>>     > 69.90.78.53.52229: [|tcp]
>>     8. 067764 rule 67/0(match): block in on vr1: 117.22.229.187.2882
>>     > 69.90.78.36.1434: UDP, length 376
>>     7. 936396 rule 67/0(match): block in on vr1: 117.211.83.182.1919
>>     > 69.90.78.59.445: [|tcp]
>>     2. 890145 rule 67/0(match): block in on vr1: 117.211.83.182.1919
>>     > 69.90.78.59.445: [|tcp]
>>     4. 611658 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
>>     69.90.78.43.445: [|tcp]
>>     007399 rule 67/0(match): block in on vr1: 69.39.235.5.5060 >
>>     69.90.78.40.5060: SIP, length: 403
>>     2. 932101 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
>>     69.90.78.43.445: [|tcp]
>>     14. 157570 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
>>     69.90.78.54.445: [|tcp]
>>     2. 229645 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
>>     69.90.78.54.445: [|tcp]
>>     773124 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
>>     69.90.78.54.445: [|tcp]
>>     2. 102083 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
>>     69.90.78.54.445: [|tcp]
>>     6. 378646 rule 67/0(match): block in on vr1: 114.42.222.45.31689
>>     > 69.90.78.39.445: [|tcp]
>>     2. 950717 rule 67/0(match): block in on vr1: 114.42.222.45.31689
>>     > 69.90.78.39.445: [|tcp]
>>     6. 111112 rule 67/0(match): block in on vr1: 186.122.147.6.32221
>>     > 69.90.78.45.445: [|tcp]
>>     3. 608465 rule 67/0(match): block in on vr1: 186.122.147.6.32221
>>     > 69.90.78.45.445: [|tcp]
>>
>>
>>     Thanks,
>>
>     Always in cases like this find out what service might be
>     targeted.  What's on tcp port 445?  Microsoft-Directory Services
>
>     Enough said.  The script kiddies have a new tool to play with to
>     break into Microsoft based systems...
>
>     Lyle
>
>
>     --
>     _____________________________________________________________________
>     -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>     New to Asterisk? Join us for a live introductory webinar every Thurs:
>                   http://www.asterisk.org/hello
>
>     asterisk-users mailing list
>     To UNSUBSCRIBE or update options visit:
>       http://lists.digium.com/mailman/listinfo/asterisk-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101108/e9c91ba6/attachment-0001.htm

More information about the asterisk-users mailing list