[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

Dovid Bender dovid at telecurve.com
Sat Dec 30 19:18:33 CST 2017 

Script kiddies trying to find vulnerable systems that they can make calls
on. Lock down the box with iptables and use fail2ban to block them. The via
is probably bogus unless a box at the DoD was comprimised.



On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com> wrote:

> I've been getting a lot of timeouts on non-critical invite transactions. I
> turned on sip debug. They were the result of SIP invites like this:
>
> Retransmitting #10 (NAT) to 185.107.94.10:13057:
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP 215.45.145.211:5060;branch=z9h
> G4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
> From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
> To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
> Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
> CSeq: 1 INVITE
> Server: Asterisk PBX 13.19.0-rc1
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
> PUBLISH, MESSAGE
> Supported: replaces, timer
> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
> nonce="14be1363"
> Content-Length: 0
>
> ---
>  WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout
> reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 (Non-critical
> Response) -- See https://wiki.asterisk.org/wiki
> /display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
>  WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on
> 5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.
>
> Looking up the ip addresses :
>
> whois 185.107.94.10
> .............
> inetnum:        185.107.94.0 - 185.107.94.255
> netname:        NFORCE_ENTERTAINMENT
> descr:          Serverhosting
> ..................
> organisation:   ORG-NE3-RIPE
> org-name:       NForce Entertainment B.V.
> org-type:       LIR
> address:        Postbus 1142
> address:        4700BC
> address:        Roosendaal
> address:        NETHERLANDS
> phone:          +31206919299
> ...................
>
> whois 215.45.145.211
> .................
> NetRange:       215.0.0.0 - 215.255.255.255
> CIDR:           215.0.0.0/8
> NetName:        DNIC-NET-215
> NetHandle:      NET-215-0-0-0-1
> Parent:          ()
> NetType:        Direct Assignment
> OriginAS:
> Organization:   DoD Network Information Center (DNIC)
> RegDate:        1998-06-04
> Updated:        2011-06-21
> Ref:            https://whois.arin.net/rest/net/NET-215-0-0-0-1
>
>
>
> OrgName:        DoD Network Information Center
> OrgId:          DNIC
> Address:        3990 E. Broad Street
> City:           Columbus
> StateProv:      OH
>
> So how is someone on a Dutch ISP using my server to mess with a US DoD ip
> address ?
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20171230/8ae28c45/attachment.html>

More information about the asterisk-users mailing list