<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">just one more ;-)<br>
<br>
the source IP just changed to <br>
<pre wrap="">142.0.41.179</pre>
<br>
<pre wrap="">OrgName: VolumeDrive
OrgId: VOLUM-2
Address: 1143 Northern Blvd
City: Clarks Summit
StateProv: PA
PostalCode: 18411
Country: US</pre>
and the destination Number to<br>
<br>
<pre wrap=""><a href="callto:00972595632276" nr="+972595632276" class="telified" title="Als Telefonnummer verwenden" style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">972595632276</a></pre>
<br>
<br>
<pre wrap="">Oct 3 20:26:37 server /sbin/kamailio[3977]: NOTICE: <script>: blocking IP 142.0.41.179 sipcli/v1.8 rm=INVITE aU=<null> rU=<a href="callto:00972595632276" nr="+972595632276" class="telified" title="Als Telefonnummer verwenden" style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+972595632276</a></pre>
<br>
<br>
Am 03.10.2014 um 20:15 schrieb Rainer Piper:<br>
</div>
<blockquote cite="mid:542EE7C4.7050205@soho-piper.de" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Chris,<br>
<br>
yes ... it is boring ...<br>
I stop posting ...<br>
;-)<br>
<br>
<br>
Am 03.10.2014 um 20:11 schrieb Chris Bagnall:<br>
</div>
<blockquote cite="mid:542EE6BB.4080507@lists.minotaur.cc"
type="cite">On 3/10/14 6:52 pm, Rainer Piper wrote: <br>
<blockquote type="cite">the attacking server changed the
destination Number at 18:53 CEST and <br>
he is still blocked ... LOL <br>
972597438354 <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E" href="callto:00972597438354"><callto:00972597438354></a>
<br>
</blockquote>
<br>
It's pretty much an everyday occurrence for any
internet-connected SIP system these days... <br>
<br>
<blockquote type="cite">Oct 3 19:46:20 server
/sbin/kamailio[3977]: NOTICE: <script>: blocking <br>
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null>
rU=100972597438354 <br>
</blockquote>
<br>
Many of these attacks come from fairly easily recognised
user-agent strings, so if you fancy doing a bit of packet
inspection with your firewall, you can block many of these
before they get as far as your SIP server(s) themselves. <br>
<br>
For example, the sipcli scans you listed above can be blocked
fairly easily with: <br>
iptables -A INPUT -p udp --dport 5060 -m string --algo bm
--string "sipcli" -j DROP <br>
<br>
(obviously there are overheads to string searching UDP/5060
packets that you'll want to consider, and the above won't work
if you're using sipcli legitimately anywhere on your network) <br>
<br>
Kind regards, <br>
<br>
Chris <br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<b>Rainer Piper</b> <br>
Integration engineer <br>
Koeslinstr. 56 <br>
53123 BONN <br>
GERMANY <br>
Phone: +49 228 97167161 <br>
P2P: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="sip:rainer@sip.soho-piper.de:5072">sip:rainer@sip.soho-piper.de:5072</a>
(pjsip-test) <br>
XMPP: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rainer@xmpp.soho-piper.de">rainer@xmpp.soho-piper.de</a></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<b>Rainer Piper</b>
<br>
Integration engineer
<br>
Koeslinstr. 56
<br>
53123 BONN <br>
GERMANY
<br>
Phone: +49 228 97167161
<br>
P2P: <a class="moz-txt-link-freetext" href="sip:rainer@sip.soho-piper.de:5072">sip:rainer@sip.soho-piper.de:5072</a> (pjsip-test)
<br>
XMPP: <a class="moz-txt-link-abbreviated" href="mailto:rainer@xmpp.soho-piper.de">rainer@xmpp.soho-piper.de</a></div>
</body>
</html>