>>> Perhaps if there was a Asterisk RBL we could all contribute to; for >>> which we could then hook into and drop any connection where a >>> source IP is listed ? -- Thanks, Phil >>> >> >> I love the idea of a RBL... count me in for contributing. >> >> Especially considering the ridiculous response I received from >> Amazon. (Basically told me to submit host, destination, port, proto, >> and log... which of course was already included in the original >> complaint) > > I don't think anyone else brought up the Spamhaus DROP project. ?It's a > blacklist of IP addresses and address ranges which are known to ONLY be > used for malicious purposes. > > http://www.spamhaus.org/drop/ > > We could establish something similar to that for VOIP attacks. ?It may > not be exactly a trivial system to maintain such a list. (removing IP's > after X amount of time, disputing false claims etc). ?Maybe someone > could contact spamhaus to create a list for VOIP since they seem to have > a nice system in place? >Hi All, good discussion, similar to ones we had a year or so ago. The RBL concept is valid, at least to get a repository going that list malicious activity specific to SIP attacks. n I worked with Project Honeypot guys for a while, they are more than willing to assist, as they already have the backend work done for a clearing house identifying hackers. The biggest issue we had a year ago was to create the mechanism in asterisk to push valid log messages out to the database and then determine what to do with that data? I tried to bridge the gap between a few Asterisk developers and the Honeypot developers, ultimately the project stalled and I got busy with other matters. If anyone here would like to pick up the torch and move this along, I can certainly provide info on how far along we got and contact info for the parties involved. Please contact me if you have time to work on this and are interested. I'm sure the Project Honeypot guys will be willing to pick this project back up and work on it. Thanks. JR -- JR Richardson Engineering for the Masses
> I worked with Project Honeypot guys for a while, they are more than > willing to assist, as they already have the backend work done for a > clearing house identifying hackers. ?The biggest issue we had a year > ago was to create the mechanism in asterisk to push valid log messages > out to the database and then determine what to do with that data?Because I run a lot of forums and blogs, I use Project Honeypot, report to them and have lent them a few honeypot MX and pages.> I tried to bridge the gap between a few Asterisk developers and the > Honeypot developers, ultimately the project stalled and I got busy > with other matters. ?If anyone here would like to pick up the torch > and move this along, I can certainly provide info on how far along we > got and contact info for the parties involved.Project Honeypot seems pretty overworked/overstretched already, but if you're able to communicate whith them that's excellent, they are doing a great job with their DB, it saves me a lot of time.> Please contact me if you have time to work on this and are interested. > ?I'm sure the Project Honeypot guys will be willing to pick this > project back up and work on it.I can't contribute code, but I can help spread the word. I also still believe that Amazon needs to put resources to work on the problem. The cloud is too easy to hide in for what are obviously fraudulent operations. We will certainly be talking about this on the VoIP Users Conference in the next weeks. We should schedule it as a topic, possibly for the April 30th. Would you be available for that JR? (12 Noon EDT) /r
On Mon, Apr 12, 2010 at 04:58:42PM -0500, JR Richardson wrote:> >>> Perhaps if there was a Asterisk RBL we could all contribute to; for > >>> which we could then hook into and drop any connection where a > >>> source IP is listed ? -- Thanks, Phil > >>> > >> > >> I love the idea of a RBL... count me in for contributing. > >> > >> Especially considering the ridiculous response I received from > >> Amazon. (Basically told me to submit host, destination, port, proto, > >> and log... which of course was already included in the original > >> complaint) > > > > I don't think anyone else brought up the Spamhaus DROP project. ?It's a > > blacklist of IP addresses and address ranges which are known to ONLY be > > used for malicious purposes. > > > > http://www.spamhaus.org/drop/This is for really bad spammers. In our case it would be used to block Amazon AWS in the (completely unlikely!) case that they would do nothing about those cases.> > > > We could establish something similar to that for VOIP attacks. ?It may > > not be exactly a trivial system to maintain such a list. (removing IP's > > after X amount of time, disputing false claims etc). ?Maybe someone > > could contact spamhaus to create a list for VOIP since they seem to have > > a nice system in place? > > > Hi All, good discussion, similar to ones we had a year or so ago. The > RBL concept is valid, at least to get a repository going that list > malicious activity specific to SIP attacks. > n > I worked with Project Honeypot guys for a while, they are more than > willing to assist, as they already have the backend work done for a > clearing house identifying hackers. The biggest issue we had a year > ago was to create the mechanism in asterisk to push valid log messages > out to the database and then determine what to do with that data? > > I tried to bridge the gap between a few Asterisk developers and the > Honeypot developers, ultimately the project stalled and I got busy > with other matters. If anyone here would like to pick up the torch > and move this along, I can certainly provide info on how far along we > got and contact info for the parties involved. > > Please contact me if you have time to work on this and are interested. > I'm sure the Project Honeypot guys will be willing to pick this > project back up and work on it.I've been bitten too many times by over-jelous anti-spam black lists. It's easy to get in. More difficult to be removed. And heck, I can easily get set up a few servers in Amazon which will generate faked logs of "attacks" from your server, if I want to shut your phone system for a couple of days. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir