search for: sipvicious

Hi, Got some great news a few days ago from Sandro Gauci (@SandroGauci) and we'll be talking about this with him this Friday at 1PM. SIPVicious, the free security tools for SIP scanning, now include a new tool: svcrash. It is aimed at helping system administrators stop bandwidth consuming scans making use of svwar and svcrack. Here is the announcement on SIPViscious blog: http://blog.sipvicious.org/2010/06/how-to-crash-sipvicious-introduc...

...t's time to introduce yet another parameter to it - which will cause asterisk to return the same error code for all 3 conditions - and return the "not found" error, even on bad username or password. It breaks the RFC even more, but might it be worth it? (I've just had 30GB of sipvicious traffic sent to my hosted servers in a 12-hour period - it came from what looked like a VPS host in France - trivially firewalled out, but even dropping the packets didn't stop the flood! It's so badly written it appears to just ignore any return codes that it doesn't want, or even...

...901 at 46.101.X.X SIP/2.0 163.172.210.65:5089 46.101.X.X:5060 ?Via: SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport ???????????????????? ?????????????????????Content-Length: 0 ? OPTIONS ? ?From: "sipvicious"<sip:100 at 1.1.1.1>;tag=3265363530346630313363340132333439343631383137 13:26:10.350316 ? ??????????????????????????> ? ?Accept: application/sdp ? ? ?User-Agent: friendly-scanner ?...

Hi, I've recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I've had a number of these in the past. The main symptom I noticed previously was, because Asterisk was responding to each registration request it received, it was very quickly using up my 448 kbps upload limit for my home ADSL connection: any

...en the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attacker...

Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you

Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was "taken advantage of" over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN trunk, and of course there was no warning until the bill came today. Unfortunately the bill only covered the fi...

Say, I just picked this up on my messages! There are a whole host of these requests! Anyone know whow there people are? Is there a way to report them? Any suggestions as to how to block them? [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from '"912" <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong password [Aug 23 10:34:16] NOTICE[1010]

Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples:

Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote

...our or so, then a debate about hosted vs local VoIP services. Hour one guests are Sjur Usken, telecom consultant who has been working with VoIP since 2002 and helping companies migrate to an all IP world and Sandro Gauci, a security researcher and consultant based in, author of VoIP security tools SIPVicious, VOIPPACK and VOIPSCANNER.com. They'll be talking about a number of realistic VoIP attacks and what's being exploited by fraudsters for profit. Hour two we expect Mike Oeth, Junction Networks CEO to join our regulars to talk about hosted vs local VoIP. There's also miscellaneous buzz a...

...list just yet (that'll be next week) I can tell you that there are how-to talks on IPv6 (a double-session!) by the developers of the code (Viagenie), VoIP encryption techniques by the developer of some of the code (Terry Wilson), and a practical session on SIP security by the author of SIPVicious (Sandro Gauci.) If you've talked with me about giving a session, but not actually put it into the then it's not on the consideration list. I know that there are quite a few of you who are enthusiastic about giving a session but haven't quite gained the momentum to fill out the...

Hey all We are seeing intrusion attempts coming from address 201.47.236.122 today They were hitting our switches trying to get in. So we blocked them at our firewall. Just wanted to put the word out so you all can protect your self. Bryant -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hello all. I was recently the victim of a SIP flood attack. I'm wondering what is the best method to prevent such things in the future. Many thanks Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101003/2e254523/attachment.htm

Hello, We had been seeing SIP-guessing attacks on our Asterisk server here. While it wasn't that hard to write a once-a-minute cron job to spank the lusers, that runs once a minute and creates little spikes in the usage and I/O graphs, and is slower to respond than I'd really prefer. I felt that it'd be much cooler to get something more comprehensive put together. We don't use

Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] ==

An attacker is scanning my Asterisk Switch to gain illegitimate access to VoIP call functionality. Using a sip scanning tool, *it* sends REGISTERs with random identities. And when it discovers one identity subscribed in my switch, it tries to authenticate with random passwords using this user name. For the moment, I have replaced this account. And also blocked the IP it has used but each time

Is there a way to drop a ip connection to asterisk after a number of register attempts. I have been having issues with hackers doing registration scanning against our server. We block their address at the fire wall but since asterisk does not force a drop of the connect after so many bad reg attempts I can't enforce the block until they drop and try again. This allows them to run the box

Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with "Asterisk <Unknown>" caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server

Forgive my ignorance on this as I am still fairly new to Asterisk. I have noticed lately that there have been several attempts to hack our Asterisk server. I see multiple attempts to log in with a particular extension from the same IP address, perhaps hundreds of times per second. It causes the overhead to spike to ~100%. It is more of a pain in the ass than anything. So far what I have been