[asterisk-users] Is this a DDoS to reach Asterisk?

Bruce B bruceb444 at gmail.com
Mon Nov 8 21:24:28 CST 2010


And that's the problem. There is no such service running or such port is not
open. They only keep trying this for no reason. It might cost us bandwidth
for no reason. In fact there is no open ports on our network whatsoever.

Thanks

On Mon, Nov 8, 2010 at 9:50 PM, Lyle Giese <lyle at lcrcomputer.net> wrote:

>  Bruce B wrote:
>
> Hi Everyone,
>
>  I have pfSense running which supplies Asterisk with DHCP. I had some
> testing ports opened for a web server which I have totally closed now but
> when I chose option 10 (filter log) on pfSense I get all of this type of
> traffic (note that it was only 1 single IP and once I blocked that one it
> was like opening a can full of bees with all different IPs):
>
>
>
>  tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
> bytes
> 000000 rule 70/0(match): block in on vr1: 221.132.34.165.33556 >
> 69.90.78.53.52229:  tcp 20 [bad hdr length 0 - too short, < 20]
> 6. 239658 rule 70/0(match): block in on vr1: 121.207.254.227.6667 >
> 69.90.78.38.3072:  tcp 24 [bad hdr length 0 - too short, < 20]
> 7. 986724 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
> 69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 867707 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
> 69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 799337 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
> 69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 931814 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
> 69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 1. 574556 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
> 69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 956066 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
> 69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 1. 598334 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
> 69.90.78.42.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 072759 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
> 69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 109451 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
> 69.90.78.63.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 731065 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
> 69.90.78.42.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 159413 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
> 69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 374293 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
> 69.90.78.63.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 10. 234202 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
> 69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
> 2. 985558 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
> 69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
> 13. 236084 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
> 69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2. 982122 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
> 69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 18. 493312 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
> 69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2. 477084 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
> 69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
> 9. 777792 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
> 69.90.78.54.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 1. 216002 rule 70/0(match): block in on vr1: 172.168.0.4.1568 >
> 69.90.78.49.445: [|tcp]
> 321600 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
> 69.90.78.55.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 1. 383839 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
> 69.90.78.54.445: [|tcp]
> 1. 466115 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
> 69.90.78.55.445: [|tcp]
> 7. 977140 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
> 69.90.78.36.445: [|tcp]
> 2. 920013 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
> 69.90.78.36.445: [|tcp]
> 29. 032839 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
> 69.90.78.55.445: [|tcp]
> 2. 996906 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
> 69.90.78.55.445: [|tcp]
> 62. 079279 rule 70/0(match): block in on vr1: 82.165.131.28.6005 >
> 69.90.78.47.1024: [|tcp]
> 34. 224871 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
> 69.90.78.43.445: [|tcp]
> 3. 006367 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
> 69.90.78.43.445: [|tcp]
> 20. 274886 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
> 69.90.78.55.445: [|tcp]
> 2. 893859 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
> 69.90.78.55.445: [|tcp]
> 28. 739620 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
> 69.90.78.55.445: [|tcp]
> 2. 936286 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
> 69.90.78.55.445: [|tcp]
> 1. 207250 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
> 69.90.78.43.445: [|tcp]
> 3. 015370 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
> 69.90.78.43.445: [|tcp]
> 7. 088359 rule 67/0(match): block in on vr1: 61.130.103.10 > 69.90.78.42:
> [|icmp]
> 11. 825521 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
> 69.90.78.33.445: [|tcp]
> 2. 316564 rule 67/0(match): block in on vr1: 61.130.103.10 > 69.90.78.42:
> [|icmp]
> 626845 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
> 69.90.78.33.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 5. 041794 rule 67/0(match): block in on vr1: 95.224.51.107.1378 >
> 69.90.78.48.1434: UDP, length 376
> 8. 978999 rule 67/0(match): block in on vr1: 221.132.34.165.33556 >
> 69.90.78.53.52229: [|tcp]
> 8. 067764 rule 67/0(match): block in on vr1: 117.22.229.187.2882 >
> 69.90.78.36.1434: UDP, length 376
> 7. 936396 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
> 69.90.78.59.445: [|tcp]
> 2. 890145 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
> 69.90.78.59.445: [|tcp]
> 4. 611658 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
> 69.90.78.43.445: [|tcp]
> 007399 rule 67/0(match): block in on vr1: 69.39.235.5.5060 >
> 69.90.78.40.5060: SIP, length: 403
> 2. 932101 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
> 69.90.78.43.445: [|tcp]
> 14. 157570 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
> 69.90.78.54.445: [|tcp]
> 2. 229645 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
> 69.90.78.54.445: [|tcp]
> 773124 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
> 69.90.78.54.445: [|tcp]
> 2. 102083 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
> 69.90.78.54.445: [|tcp]
> 6. 378646 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
> 69.90.78.39.445: [|tcp]
> 2. 950717 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
> 69.90.78.39.445: [|tcp]
> 6. 111112 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
> 69.90.78.45.445: [|tcp]
> 3. 608465 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
> 69.90.78.45.445: [|tcp]
>
>
>  Thanks,
>
>  Always in cases like this find out what service might be targeted.
> What's on tcp port 445?  Microsoft-Directory Services
>
> Enough said.  The script kiddies have a new tool to play with to break into
> Microsoft based systems...
>
> Lyle
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101108/c6621d2a/attachment.htm 


More information about the asterisk-users mailing list