[asterisk-users] SIP fraud IP blacklist

Stefan Gofferje lists at home.gofferje.net
Fri Apr 11 13:10:09 CDT 2014


in case, anyone is interested...
I have started compiling a blacklist of hosts and networks from which
SIP fraud attempts occur.
My criteria currently are:

To block an IP:
- Minimum 3 attacks within one week from the same IP
To block a network:
- Attacks from minimum 3 IPs from that network within 2 weeks
Common criteria:
- Provider does not react to complaints OR
- Provider sends autoreply but attacks don't stop within a week

Definition of attack:
- Minimum 5 attempts to make an unauthorized phone call to a
non-PBX-internal number OR
- Minimum 10 attempts to make an unauthorized phone call to a
PBX-internal number OR
- Minimum 10 failed authentication attempts

If this happens, the IP gets auto-banned (iptables) for 24 hours and
goes to my watch list. The watch list is the base for my further decisions.

Currently, I don't remove IPs or networks from the list. If I have time
and/or motivation I might create some kind of removal process later -
also, depending on how big the list gets and how many people use it.

The list is yet pretty short but for me, it has reduced the noise on my
PBX from 20-30 attacks per day to about 2 or 3 per week, especially
after most of the Palestinian networks ended up on the list.

You're free to use the list - own your own responsibility and risk. It's
in the ipdeny.com format, so a simple script can be used to CURL the
list and create iptables rules from it. A sample script for something
like that is also on my website (check the Linux section).

That's the website for the list:

And that's the download URL:

Note that the list is updated every 6h so polling it more often doesn't
help anything. Please limit polling to once a day or so.


 (o_   Stefan Gofferje            | SCLT, MCP, CCSA
 //\   Reg'd Linux User #247167   | VCP #2263
 V_/_  Heckler & Koch - the original point and click interface

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4079 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140411/4b0ffa6d/attachment.bin>

More information about the asterisk-users mailing list