[asterisk-users] My Switch is being attacked using sip scanner tool (Service Abuse Attack)
mosbah abdelkader
mosbah.abdelkader at gmail.com
Thu Jul 22 05:33:48 CDT 2010
An attacker is scanning my Asterisk Switch to gain illegitimate access to
VoIP call functionality.
Using a sip scanning tool, *it* sends REGISTERs with random identities. And
when it discovers one identity subscribed in my switch, it tries to
authenticate with random passwords using this user name.
For the moment, I have replaced this account. And also blocked the IP it has
used but each time it tries to use another IP to scan again.
Following is a sample REGISTER request sent by it to my switch (I have
hidden some info).
REGISTER sip:xx.xx.xx.xx SIP/2.0
*Via: SIP/2.0/UDP 127.0.1.1:5061;branch=xxxxxxxxx**-xxxxxxxxx**;rport*
Content-Length: 0
From: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx>
Accept: application/sdp
*User-Agent: friendly-scanner*
To: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx>
*Contact: sip:123 at 1.1.1.1 <sip%3A123 at 1.1.1.1>*
CSeq: 1 REGISTER
Call-ID: 4244603463
Max-Forwards: 70
Please help me resolve this problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100722/1afc4c72/attachment.htm
More information about the asterisk-users
mailing list