[asterisk-users] Paltel subscribers as called parties for SIP attacks

[Chris Bagnall]

FWIW, we routinely see dodgy traffic from:
> ovh.net
> hetzner.de

But since those are 2 of the larger short-term contract dedicated server 
vendors, I'm not surprised about that. It's so frequent that I don't 
even bother reporting it any more - when an abuse report is acted upon 
and the server shut down, another pops up to take its place.

> all going to 972-59-* numbers (i.e. Paltel/Jawal mobile customers).

Likewise here. Well, not all, but a sizeable percentage of it. We're 
based in the UK.

> Why would an internet subscriber from hadara.ps, for instance, want to call a Paltel mobile user via some remotely hacked SIP PBX thousands of miles away given than Paltel is partially owned by Hadara Technology Investment Co. (and Paltel leases long-haul infrastructure from Hadara anyway)?

Are you perhaps reading too much into it? There are insecure servers and 
computers all over the internet. These are (ab)used and co-opted into 
botnets which are in turn used to compromise SIP servers. I suspect that 
it's probably a financial goal (free calls, or substantial termination 
payouts) rather than a political goal the perpetrators are seeking.

> I'd be curious to know what everyone else's experiences have been like, and why 95% or better of the SIP attacks on my PBX are destined for Paltel mobile subscribers.

Perhaps the termination payout on those numbers is particularly good, 
and/or regulation/investigation into abuse isn't so good?

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons