[asterisk-users] Numbers hackers call

Eric Wieling EWieling at nyigc.com
Thu Mar 27 13:36:37 CDT 2014

I have an iptables file which blocks all traffic except traffic from networks allocated by ARIN or are Legacy networks.   I pulled the information from http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml  

My iptables script can be found at the link below. 

It might be helpful to someone.

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Stefan Gofferje
Sent: Thursday, March 27, 2014 2:13 PM
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] Numbers hackers call

On 03/26/2014 05:05 PM, Michelle Dupuis wrote:
> I see a lot of attempts by hackers to call 00972595301123​ or 
> 011972595115207​ or variations but that same 972595 is often present.
> Can someone break down that dial string with an explanation?  The 011 
> look like an overseas call (from Americas), while the 972595XXXXXX is 
> unclear...

Those lame hacking attempts aren't the big issue - unless you have an insecure SIP-PBX. Germany just got hit with a wave of hacks of Fritz!Box home routers with integrated SIP, causing hundreds of thousands in damage.
The big issue is that the ISPs worldwide don't give a crap about complaints! And that's not only some backwater-ISPs in some 3rd world countries! It's mainly the big names, like Hetzner, L3, etc. who - oh well, yeah - send you an autoreply but in the end don't bother doing anything.
Just recently was an article, again in a German IT-newsticker, about Hetzner's "abuse handling". They just forward the complaint to their customer, including full contact data - which is pretty much illegal (privacy protection, etc.) - but they don't follow up.

I got so fed up that I now put the top 20 of attacking IPs to my website...

Current top 5:
1. iWeb (Canada)
2. Level 3 (USA)
3. Dacom (S-Korea)
4. Intergenia (Germany)
5. OVH (France)

See http://stefan.gofferje.net/it-stuff/sipfraud

Really, if everybody would run statistics on attacks and publish them, those ISPs would pretty quickly not only start reacting to fouled servers but probably start monitoring proactively because being in the top 20 of attacker-IPs ain't good for their reputation...


 (o_   Stefan Gofferje            | SCLT, MCP, CCSA
 //\   Reg'd Linux User #247167   | VCP #2263
 V_/_  Heckler & Koch - the original point and click interface

More information about the asterisk-users mailing list