asterisk users - Nov 2010 - Is this a DDoS to reach Asterisk?

Hi Everyone,

I have pfSense running which supplies Asterisk with DHCP. I had some testing
ports opened for a web server which I have totally closed now but when I
chose option 10 (filter log) on pfSense I get all of this type of traffic
(note that it was only 1 single IP and once I blocked that one it was like
opening a can full of bees with all different IPs):



tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
000000 rule 70/0(match): block in on vr1: 221.132.34.165.33556 >
69.90.78.53.52229:  tcp 20 [bad hdr length 0 - too short, < 20]
6. 239658 rule 70/0(match): block in on vr1: 121.207.254.227.6667 >
69.90.78.38.3072:  tcp 24 [bad hdr length 0 - too short, < 20]
7. 986724 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
2. 867707 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
2. 799337 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
2. 931814 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
1. 574556 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
2. 956066 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
1. 598334 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
69.90.78.42.445:  tcp 20 [bad hdr length 8 - too short, < 20]
072759 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
109451 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
69.90.78.63.445:  tcp 28 [bad hdr length 0 - too short, < 20]
2. 731065 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
69.90.78.42.445:  tcp 16 [bad hdr length 12 - too short, < 20]
159413 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
374293 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
69.90.78.63.445:  tcp 16 [bad hdr length 12 - too short, < 20]
10. 234202 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
2. 985558 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
13. 236084 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
2. 982122 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
18. 493312 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
2. 477084 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
9. 777792 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
69.90.78.54.445:  tcp 16 [bad hdr length 12 - too short, < 20]
1. 216002 rule 70/0(match): block in on vr1: 172.168.0.4.1568 >
69.90.78.49.445: [|tcp]
321600 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
69.90.78.55.445:  tcp 20 [bad hdr length 8 - too short, < 20]
1. 383839 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
69.90.78.54.445: [|tcp]
1. 466115 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
69.90.78.55.445: [|tcp]
7. 977140 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
69.90.78.36.445: [|tcp]
2. 920013 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
69.90.78.36.445: [|tcp]
29. 032839 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
69.90.78.55.445: [|tcp]
2. 996906 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
69.90.78.55.445: [|tcp]
62. 079279 rule 70/0(match): block in on vr1: 82.165.131.28.6005 >
69.90.78.47.1024: [|tcp]
34. 224871 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
69.90.78.43.445: [|tcp]
3. 006367 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
69.90.78.43.445: [|tcp]
20. 274886 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
69.90.78.55.445: [|tcp]
2. 893859 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
69.90.78.55.445: [|tcp]
28. 739620 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
69.90.78.55.445: [|tcp]
2. 936286 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
69.90.78.55.445: [|tcp]
1. 207250 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
69.90.78.43.445: [|tcp]
3. 015370 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
69.90.78.43.445: [|tcp]
7. 088359 rule 67/0(match): block in on vr1: 61.130.103.10 > 69.90.78.42:
[|icmp]
11. 825521 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
69.90.78.33.445: [|tcp]
2. 316564 rule 67/0(match): block in on vr1: 61.130.103.10 > 69.90.78.42:
[|icmp]
626845 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
69.90.78.33.445:  tcp 20 [bad hdr length 8 - too short, < 20]
5. 041794 rule 67/0(match): block in on vr1: 95.224.51.107.1378 >
69.90.78.48.1434: UDP, length 376
8. 978999 rule 67/0(match): block in on vr1: 221.132.34.165.33556 >
69.90.78.53.52229: [|tcp]
8. 067764 rule 67/0(match): block in on vr1: 117.22.229.187.2882 >
69.90.78.36.1434: UDP, length 376
7. 936396 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
69.90.78.59.445: [|tcp]
2. 890145 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
69.90.78.59.445: [|tcp]
4. 611658 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
69.90.78.43.445: [|tcp]
007399 rule 67/0(match): block in on vr1: 69.39.235.5.5060 >
69.90.78.40.5060: SIP, length: 403
2. 932101 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
69.90.78.43.445: [|tcp]
14. 157570 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
69.90.78.54.445: [|tcp]
2. 229645 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
69.90.78.54.445: [|tcp]
773124 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
69.90.78.54.445: [|tcp]
2. 102083 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
69.90.78.54.445: [|tcp]
6. 378646 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
69.90.78.39.445: [|tcp]
2. 950717 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
69.90.78.39.445: [|tcp]
6. 111112 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
69.90.78.45.445: [|tcp]
3. 608465 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
69.90.78.45.445: [|tcp]


Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101108/6a124e62/attachment.htm

Bruce B wrote:
> Hi Everyone,
>
> I have pfSense running which supplies Asterisk with DHCP. I had some
> testing ports opened for a web server which I have totally closed now
> but when I chose option 10 (filter log) on pfSense I get all of this
> type of traffic (note that it was only 1 single IP and once I blocked
> that one it was like opening a can full of bees with all different IPs):
>
>
>
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size 96 bytes
> 000000 rule 70/0(match): block in on vr1: 221.132.34.165.33556 >
> 69.90.78.53.52229:  tcp 20 [bad hdr length 0 - too short, < 20]
> 6. 239658 rule 70/0(match): block in on vr1: 121.207.254.227.6667 >
> 69.90.78.38.3072:  tcp 24 [bad hdr length 0 - too short, < 20]
> 7. 986724 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
> 69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 867707 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
> 69.90.78.62.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 799337 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
> 69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 931814 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
> 69.90.78.56.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 1. 574556 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
> 69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 956066 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
> 69.90.78.43.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 1. 598334 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
> 69.90.78.42.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 072759 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
> 69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 109451 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
> 69.90.78.63.445:  tcp 28 [bad hdr length 0 - too short, < 20]
> 2. 731065 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
> 69.90.78.42.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 159413 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
> 69.90.78.43.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 374293 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
> 69.90.78.63.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 10. 234202 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
> 69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
> 2. 985558 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
> 69.90.78.52.445:  tcp 20 [bad hdr length 12 - too short, < 20]
> 13. 236084 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
> 69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2. 982122 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
> 69.90.78.35.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 18. 493312 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
> 69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2. 477084 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
> 69.90.78.47.39781:  tcp 16 [bad hdr length 12 - too short, < 20]
> 9. 777792 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
> 69.90.78.54.445:  tcp 16 [bad hdr length 12 - too short, < 20]
> 1. 216002 rule 70/0(match): block in on vr1: 172.168.0.4.1568 >
> 69.90.78.49.445: [|tcp]
> 321600 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
> 69.90.78.55.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 1. 383839 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
> 69.90.78.54.445: [|tcp]
> 1. 466115 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
> 69.90.78.55.445: [|tcp]
> 7. 977140 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
> 69.90.78.36.445: [|tcp]
> 2. 920013 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
> 69.90.78.36.445: [|tcp]
> 29. 032839 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
> 69.90.78.55.445: [|tcp]
> 2. 996906 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
> 69.90.78.55.445: [|tcp]
> 62. 079279 rule 70/0(match): block in on vr1: 82.165.131.28.6005 >
> 69.90.78.47.1024: [|tcp]
> 34. 224871 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
> 69.90.78.43.445: [|tcp]
> 3. 006367 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
> 69.90.78.43.445: [|tcp]
> 20. 274886 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
> 69.90.78.55.445: [|tcp]
> 2. 893859 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
> 69.90.78.55.445: [|tcp]
> 28. 739620 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
> 69.90.78.55.445: [|tcp]
> 2. 936286 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
> 69.90.78.55.445: [|tcp]
> 1. 207250 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
> 69.90.78.43.445: [|tcp]
> 3. 015370 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
> 69.90.78.43.445: [|tcp]
> 7. 088359 rule 67/0(match): block in on vr1: 61.130.103.10 >
> 69.90.78.42 <http://69.90.78.42>: [|icmp]
> 11. 825521 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
> 69.90.78.33.445: [|tcp]
> 2. 316564 rule 67/0(match): block in on vr1: 61.130.103.10 >
> 69.90.78.42 <http://69.90.78.42>: [|icmp]
> 626845 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
> 69.90.78.33.445:  tcp 20 [bad hdr length 8 - too short, < 20]
> 5. 041794 rule 67/0(match): block in on vr1: 95.224.51.107.1378 >
> 69.90.78.48.1434: UDP, length 376
> 8. 978999 rule 67/0(match): block in on vr1: 221.132.34.165.33556 >
> 69.90.78.53.52229: [|tcp]
> 8. 067764 rule 67/0(match): block in on vr1: 117.22.229.187.2882 >
> 69.90.78.36.1434: UDP, length 376
> 7. 936396 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
> 69.90.78.59.445: [|tcp]
> 2. 890145 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
> 69.90.78.59.445: [|tcp]
> 4. 611658 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
> 69.90.78.43.445: [|tcp]
> 007399 rule 67/0(match): block in on vr1: 69.39.235.5.5060 >
> 69.90.78.40.5060: SIP, length: 403
> 2. 932101 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
> 69.90.78.43.445: [|tcp]
> 14. 157570 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
> 69.90.78.54.445: [|tcp]
> 2. 229645 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
> 69.90.78.54.445: [|tcp]
> 773124 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
> 69.90.78.54.445: [|tcp]
> 2. 102083 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
> 69.90.78.54.445: [|tcp]
> 6. 378646 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
> 69.90.78.39.445: [|tcp]
> 2. 950717 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
> 69.90.78.39.445: [|tcp]
> 6. 111112 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
> 69.90.78.45.445: [|tcp]
> 3. 608465 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
> 69.90.78.45.445: [|tcp]
>
>
> Thanks,
>
Always in cases like this find out what service might be targeted. 
What's on tcp port 445?  Microsoft-Directory Services

Enough said.  The script kiddies have a new tool to play with to break
into Microsoft based systems...

Lyle

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101108/dbcb765c/attachment.htm