[asterisk-users] Paltel subscribers as called parties for SIP attacks

Philip Prindeville philipp_subx at redfish-solutions.com
Tue Aug 6 18:57:41 CDT 2013


On Aug 6, 2013, at 2:59 PM, Chris Bagnall <asterisk at lists.minotaur.cc> wrote:

> FWIW, we routinely see dodgy traffic from:
>> ovh.net
>> hetzner.de
> 
> But since those are 2 of the larger short-term contract dedicated server vendors, I'm not surprised about that. It's so frequent that I don't even bother reporting it any more - when an abuse report is acted upon and the server shut down, another pops up to take its place.
> 
>> all going to 972-59-* numbers (i.e. Paltel/Jawal mobile customers).
> 
> Likewise here. Well, not all, but a sizeable percentage of it. We're based in the UK.
> 
>> Why would an internet subscriber from hadara.ps, for instance, want to call a Paltel mobile user via some remotely hacked SIP PBX thousands of miles away given than Paltel is partially owned by Hadara Technology Investment Co. (and Paltel leases long-haul infrastructure from Hadara anyway)?
> 
> Are you perhaps reading too much into it? There are insecure servers and computers all over the internet. These are (ab)used and co-opted into botnets which are in turn used to compromise SIP servers. I suspect that it's probably a financial goal (free calls, or substantial termination payouts) rather than a political goal the perpetrators are seeking.


Assuming that were true, then the financial goal would be uniformly distributed since other countries would have subscribers motivated by the same set of conditions.  But the high concentration of requests going to a specific region mean that there's another factor at play.

And it's axiomatic in intelligence that "there are no coincidences". ;-)


> 
>> I'd be curious to know what everyone else's experiences have been like, and why 95% or better of the SIP attacks on my PBX are destined for Paltel mobile subscribers.
> 
> Perhaps the termination payout on those numbers is particularly good, and/or regulation/investigation into abuse isn't so good?
> 
> Kind regards,
> 
> Chris

Ok, let's say it's higher than any other country. Then what?

Once the art of hacking PBX's for free calls is perfected, shouldn't it trickle down into other markets where the reward is less, but someone else has already done the hard part for you?

That 4 years later the overwhelming majority of calls continue to be destined to Paltel indicates that there are motivators unique to this region.

-Philip





More information about the asterisk-users mailing list