<div dir="ltr">Script kiddies trying to find vulnerable systems that they can make calls on. Lock down the box with iptables and use fail2ban to block them. The via is probably bogus unless a box at the DoD was comprimised.<div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <span dir="ltr"><<a href="mailto:seandarcy2@gmail.com" target="_blank">seandarcy2@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've been getting a lot of timeouts on non-critical invite transactions. I turned on sip debug. They were the result of SIP invites like this:<br>
<br>
Retransmitting #10 (NAT) to <a href="http://185.107.94.10:13057" rel="noreferrer" target="_blank">185.107.94.10:13057</a>:<br>
SIP/2.0 401 Unauthorized<br>
Via: SIP/2.0/UDP 215.45.145.211:5060;branch=z9h<wbr>G4bK-524287-1---zg4cfkl50hpwpv<wbr>4p;received=185.107.94.10;<wbr>rport=13057<br>
From: <sip:a'or'3=3--@<myip-address><wbr>;transport=UDP>;tag=fptfih1e<br>
To: <sip:00141225184741@<myip-addr<wbr>ess>;transport=UDP>;tag=as2913<wbr>c67b<br>
Call-ID: 5YpLDUSIs6l3xbDXsurYTu..<br>
CSeq: 1 INVITE<br>
Server: Asterisk PBX 13.19.0-rc1<br>
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE<br>
Supported: replaces, timer<br>
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", nonce="14be1363"<br>
Content-Length: 0<br>
<br>
---<br>
WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 (Non-critical Response) -- See <a href="https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki<wbr>/display/AST/SIP+Retransmissio<wbr>ns</a><br>
Packet timed out after 32000ms with no response<br>
WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on 5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.<br>
<br>
Looking up the ip addresses :<br>
<br>
whois 185.107.94.10<br>
.............<br>
inetnum: 185.107.94.0 - 185.107.94.255<br>
netname: NFORCE_ENTERTAINMENT<br>
descr: Serverhosting<br>
..................<br>
organisation: ORG-NE3-RIPE<br>
org-name: NForce Entertainment B.V.<br>
org-type: LIR<br>
address: Postbus 1142<br>
address: 4700BC<br>
address: Roosendaal<br>
address: NETHERLANDS<br>
phone: <a href="tel:%2B31206919299" value="+31206919299" target="_blank">+31206919299</a><br>
...................<br>
<br>
whois 215.45.145.211<br>
.................<br>
NetRange: 215.0.0.0 - 215.255.255.255<br>
CIDR: <a href="http://215.0.0.0/8" rel="noreferrer" target="_blank">215.0.0.0/8</a><br>
NetName: DNIC-NET-215<br>
NetHandle: NET-215-0-0-0-1<br>
Parent: ()<br>
NetType: Direct Assignment<br>
OriginAS:<br>
Organization: DoD Network Information Center (DNIC)<br>
RegDate: 1998-06-04<br>
Updated: 2011-06-21<br>
Ref: <a href="https://whois.arin.net/rest/net/NET-215-0-0-0-1" rel="noreferrer" target="_blank">https://whois.arin.net/rest/ne<wbr>t/NET-215-0-0-0-1</a><br>
<br>
<br>
<br>
OrgName: DoD Network Information Center<br>
OrgId: DNIC<br>
Address: 3990 E. Broad Street<br>
City: Columbus<br>
StateProv: OH<br>
<br>
So how is someone on a Dutch ISP using my server to mess with a US DoD ip address ?<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
-- <br>
______________________________<wbr>______________________________<wbr>_________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org<wbr>/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wik<wbr>i/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailma<wbr>n/listinfo/asterisk-users</a><br>
</font></span></blockquote></div><br></div>