Hello to everyone! Same here (Vienna, Austria).
I had this attack yesterday 6am (local time) from IP 216.105.128.63 whois 216.105.128.63 returns: OrgName: Globalvision OrgID: ACSIN-3 Address: 78 Global Drive Address: Suite 101 City: Greenville StateProv: SC PostalCode: 29607 Country: US NetRange: 216.105.128.0 - 216.105.159.255 CIDR: 216.105.128.0/19 NetName: ACSINC-BLK-1 NetHandle: NET-216-105-128-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ACSINC.NET NameServer: NS2.ACSINC.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1998-10-19 Updated: 2004-12-08 OrgTechHandle: HOSTM560-ARIN OrgTechName: Hostmaster OrgTechPhone: +1-864-467-1333 OrgTechEmail: [email protected] In my case, the attack started at 05:57:45. Asterisk: 1.2.12.1 They sent 14.288 Register requests trying some "common" users like "test,admin,sip,user,123,1234," and so on. Then they started just counting up from user "0" (0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,.....) and this way, they found valid users until 05:59:09 which is 1 minute and 24 seconds or 170 Registers/second After that, they started to send 66.267 registers until 06:24:08 only with the "found" users with random password combinations. 66.267 reg / 1.499 seconds = 44 regs/second A classic "brute force attack". Interesting that the password attacks came slower than the userid attacks... At 6:24:23 asterisk obviously crashed because there wered no more log entries. I noticed the incident because my office phone number was not reachable when I tried in the morning. My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress range. I wonder if everything would become a little bit more secure if define them with "host=192.168.X.X" in sip.conf instead of "host=dynamic". I tried it as a quick shot but it didn't work as they still try to register. Does someone know if this was possible and where/how to configure it on the snom side? greetings, Norbert -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
