Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S
Always start here... http://www.spamhaus.org/drop/ If the AS is stolen, you can block the network and never have to worry about it... ~ Andrew "lathama" Latham lathama at gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Thu, Oct 21, 2010 at 12:41 PM, Steve Howes <steve-lists at geekinter.net> wrote:> Hi, > > Given the recent increase in SIP brute force attacks, I've had a little idea. > > The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. > > The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. > > Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. > > Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. > > Anyone have any thoughts? > > S > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > ? ? ? ? ? ? ? http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? http://lists.digium.com/mailman/listinfo/asterisk-users >
On Thu, 21 Oct 2010, Steve Howes wrote:> Hi, > > Given the recent increase in SIP brute force attacks, I've had a little > idea. > > The standard scripts that block after X attempts work well to prevent > you actually being compromised, but once you've been 'found' then the > attempts seem to keep coming for quite some time. Older versions of > sipvicious don't appear to stop once you start sending un-reachables (or > straight drops). Now this isn't a problem for Asterisk, but it does add > up in (noticeable) bandwidth costs - and for people running on lower > bandwidth connections. The tool to crash sipvicious can help this, but > very few attackers seem to obey it.. > > The only way I can see to alleviate this, is to blacklist hows *before* > they attack. This means you wont ever be targeted past an initial scan. > > Is there any interest in a 'shared' blacklist (similar to spam > blacklists, but obviously implemented in a way that is more usable with > Asterisk/iptables)?. Clearly it raises issues about false positives etc, > but requiring reports from more than X hosts should alleviate this. > There's all the usual de-listing / false-listing worries as with any > blacklist, but the SMTP world has solutions we could learn from. > > Leaving a 'honeypot' running on a single IP address has revealed a few > hundred addresses in less than a month. I am fairly certain these are > all 'bad' as this host isn't used for anything else. There is obviously > a wealth of data (and attacks) out there that would be good to share. > > Anyone have any thoughts? > > S > --I'll subscribe, that is for sure. What is the best way to dist the blacklist? iptables include file? Or something more integrated to asterisk... just thinking off the top of my head that a module that vetted inbound connections against an external list would be a very cool thing. j
I was thinking on the same lines, i.e. setup a server which will be
regularly updated with these bad IP addresses, and anybody looking to block
bad IPs will be able to get this list from here. For example when I get mail
from Fail2Ban (which I am getting more and more everyday now), a copy would
be sent to this server with the updated bad IP address.
But the problem is how to make sure that only legitimate users are
contributing to this list. Contributors to this list somehow need to verify
to an admin that they are not hackers, and this the hard part.
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-10-21 11:46 AM, "Steve Howes" <steve-lists at
geekinter.net> wrote:
Hi,
Given the recent increase in SIP brute force attacks, I've had a little
idea.
The standard scripts that block after X attempts work well to prevent you
actually being compromised, but once you've been 'found' then the
attempts
seem to keep coming for quite some time. Older versions of sipvicious don't
appear to stop once you start sending un-reachables (or straight drops). Now
this isn't a problem for Asterisk, but it does add up in (noticeable)
bandwidth costs - and for people running on lower bandwidth connections. The
tool to crash sipvicious can help this, but very few attackers seem to obey
it..
The only way I can see to alleviate this, is to blacklist hows *before* they
attack. This means you wont ever be targeted past an initial scan.
Is there any interest in a 'shared' blacklist (similar to spam
blacklists,
but obviously implemented in a way that is more usable with
Asterisk/iptables)?. Clearly it raises issues about false positives etc, but
requiring reports from more than X hosts should alleviate this. There's all
the usual de-listing / false-listing worries as with any blacklist, but the
SMTP world has solutions we could learn from.
Leaving a 'honeypot' running on a single IP address has revealed a few
hundred addresses in less than a month. I am fairly certain these are all
'bad' as this host isn't used for anything else. There is obviously
a wealth
of data (and attacks) out there that would be good to share.
Anyone have any thoughts?
S
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101021/1f8e99c3/attachment.htm
We would be interested.
Spam is a harder problem to fight due to volume and the ability of any idiot
to set up free email accounts. But anyone blasting SIP systems is a pure
commercial crook. Tagging and strangling them should be a clear cut project.
Cary Fitch
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Howes
Sent: Thursday, October 21, 2010 10:41 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] SIP Blacklisting
Hi,
Given the recent increase in SIP brute force attacks, I've had a little
idea.
The standard scripts that block after X attempts work well to prevent you
actually being compromised, but once you've been 'found' then the
attempts
seem to keep coming for quite some time. Older versions of sipvicious don't
appear to stop once you start sending un-reachables (or straight drops). Now
this isn't a problem for Asterisk, but it does add up in (noticeable)
bandwidth costs - and for people running on lower bandwidth connections. The
tool to crash sipvicious can help this, but very few attackers seem to obey
it..
The only way I can see to alleviate this, is to blacklist hows *before* they
attack. This means you wont ever be targeted past an initial scan.
Is there any interest in a 'shared' blacklist (similar to spam
blacklists,
but obviously implemented in a way that is more usable with
Asterisk/iptables)?. Clearly it raises issues about false positives etc, but
requiring reports from more than X hosts should alleviate this. There's all
the usual de-listing / false-listing worries as with any blacklist, but the
SMTP world has solutions we could learn from.
Leaving a 'honeypot' running on a single IP address has revealed a few
hundred addresses in less than a month. I am fairly certain these are all
'bad' as this host isn't used for anything else. There is obviously
a wealth
of data (and attacks) out there that would be good to share.
Anyone have any thoughts?
S
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
On 21/10/10 16:41, Steve Howes wrote:> Hi, > > Given the recent increase in SIP brute force attacks, I've had a little idea. > > The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. > > The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. > > Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. > > Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share.Not sure it's quite the same but have you seen: http://www.infiltrated.net/voipabuse/