[asterisk-users] Decoding SIP register hack

[sean darcy]

On 05/17/2018 04:47 PM, Daniel Tryba wrote:
> On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
>>> 		WARNING.* .*: fail2ban='<HOST>'
>>>
>>> # Option:  ignoreregex
>>> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
>>> # Values:  TEXT
>>> #
>>> ignoreregex =
>>>
>>>
>> Thanks. Very useful as a tutorial for fail2ban.
>>
>> But I don't think it covers this SIP hack. This guy isn't trying to
>> register.
> 
> His filter doesn't only trigger on REGISTERs, see the last line of the
> matches and the context for guests (which logs the pattern of the last
> line of the filter on an INVITE).
> 

I'm far from a regex expert, but I don't think that last line would 
capture anything in the invite. In fact, asterisk doesn't throw any 
WARNING at all for this INVITE.

I'm not sure, but I don't even see how you can get asterisk to log these 
invites at all. There's no heading such as WARNING( or NOTICE, SECURITY, 
etc).

>>   That why I find it puzzling. What is he trying to do ?
> 
> There are sip servers publicly reachable that will relay INVITEs, make
> sure yours aren't. And there are only 2 kinds of operators of sip
> server:
> -those that have been the victim of toll fraud
> -those that will be the victim of toll fraud
> 
> You can do nothing to stop this kind of traffic. The only thing you can
> do is block it, either using only a whitelist (cumbersome) or generate a
> blacklist with for example fail2ban or a more elaborate honeypot setup.
> Or setup a proxy that will filter patterns you discover from
> 
> BTW this is not a person, this is an automated script, running most
> likely on compromised machines and sending spoofed ips. These scripts
> care about generating a ring on a phone (again most an abuseable/hacked
> account (or purchased with CC fraud)). If they find a server that does,
> it will be targetted for all kind of fraud.
> 

Very interesting.

sen