similar to: Friday at 1PM: SIPVicious has a new tool: svcrash

Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

My firewall and asterisk pjsip config only has "permit" options for my ITSP's (SIP trunk) IPs. Here's the script that sets it up. -------------------------------------------------- #!/bin/bash EXIF="eth0" /sbin/iptables --flush /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -m

Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight

Hi, I've recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I've had a number of these in the past. The main symptom I noticed previously was, because Asterisk was responding to each registration request it received, it was very quickly using up my 448 kbps upload limit for my home ADSL connection: any

Is there a way to drop a ip connection to asterisk after a number of register attempts. I have been having issues with hackers doing registration scanning against our server. We block their address at the fire wall but since asterisk does not force a drop of the connect after so many bad reg attempts I can't enforce the block until they drop and try again. This allows them to run the box

uses for the compromised accounts - one is to get to expensive destinations - e.g. mobiles in eastern european/african destinations, and the other would appear to be pure fraud - e.g. 10 concurrent calls to what looks like a mobile in a country with a dubious telecom infrastructure - which is obviously a destination that charges a high interconnect fee, so one theory is that it's the

Hello all. I was recently the victim of a SIP flood attack. I'm wondering what is the best method to prevent such things in the future. Many thanks Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101003/2e254523/attachment.htm

Hi all, Today's jam-packed sessions include the security theme for the first hour or so, then a debate about hosted vs local VoIP services. Hour one guests are Sjur Usken, telecom consultant who has been working with VoIP since 2002 and helping companies migrate to an all IP world and Sandro Gauci, a security researcher and consultant based in, author of VoIP security tools SIPVicious,

AstriCon in Washington DC is only 102 days away! October 26-28 - slightly over three months - time is flying. The early bird discount ($595 for the whole conference) runs out next week - see if you can get in under the wire! The final selection of AstriCon talks is under way. If you've been intending to submit your talk and you missed the June 30 deadline... well, you're late.

Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was "taken advantage of" over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN

Say, I just picked this up on my messages! There are a whole host of these requests! Anyone know whow there people are? Is there a way to report them? Any suggestions as to how to block them? [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from '"912" <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong password [Aug 23 10:34:16] NOTICE[1010]

Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples:

Dear mailing list, I've a Asterisk 1.4.21.2~dfsg-3+lenny1 package installed on my debian and I've a strange behavior. After some days running normally, my asterisk is under heavy attack, however, there is nothing logged in the console (logging from debug -> error) or file (level from notice ->error) I can see that there is also a peak on the network traffic. My first guess is that

Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote

Hey all We are seeing intrusion attempts coming from address 201.47.236.122 today They were hitting our switches trying to get in. So we blocked them at our firewall. Just wanted to put the word out so you all can protect your self. Bryant -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hello, We had been seeing SIP-guessing attacks on our Asterisk server here. While it wasn't that hard to write a once-a-minute cron job to spank the lusers, that runs once a minute and creates little spikes in the usage and I/O graphs, and is slower to respond than I'd really prefer. I felt that it'd be much cooler to get something more comprehensive put together. We don't use

Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] ==

An attacker is scanning my Asterisk Switch to gain illegitimate access to VoIP call functionality. Using a sip scanning tool, *it* sends REGISTERs with random identities. And when it discovers one identity subscribed in my switch, it tries to authenticate with random passwords using this user name. For the moment, I have replaced this account. And also blocked the IP it has used but each time

http://VoipUsersConference.org for how to join us live IRC freenode.net #voip-users-conference Question: have any US presidential candidates said anything about technologies of interest to us? I hear Obama plans to have a tech cabinet post, so maybe we won't hear about the "tubes" anymore. Junction Networks CEO Michael Oeth is our guest today to talk about their onSIP.com hosted