[asterisk-users] PBX hacked: why hundred of calls to the same number ?
Rainer Piper
rainer.piper at soho-piper.de
Fri Oct 3 13:15:32 CDT 2014
Hi Chris,
yes ... it is boring ...
I stop posting ...
;-)
Am 03.10.2014 um 20:11 schrieb Chris Bagnall:
> On 3/10/14 6:52 pm, Rainer Piper wrote:
>> the attacking server changed the destination Number at 18:53 CEST and
>> he is still blocked ... LOL
>> 972597438354 <callto:00972597438354>
>
> It's pretty much an everyday occurrence for any internet-connected SIP
> system these days...
>
>> Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
>> IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354
>
> Many of these attacks come from fairly easily recognised user-agent
> strings, so if you fancy doing a bit of packet inspection with your
> firewall, you can block many of these before they get as far as your
> SIP server(s) themselves.
>
> For example, the sipcli scans you listed above can be blocked fairly
> easily with:
> iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
> "sipcli" -j DROP
>
> (obviously there are overheads to string searching UDP/5060 packets
> that you'll want to consider, and the above won't work if you're using
> sipcli legitimately anywhere on your network)
>
> Kind regards,
>
> Chris
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
XMPP: rainer at xmpp.soho-piper.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141003/a1547f46/attachment.html>
More information about the asterisk-users
mailing list