Always start here... http://www.spamhaus.org/drop/
If the AS is stolen, you can block the network and never have to worry about it... ~ Andrew "lathama" Latham [email protected] * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Thu, Oct 21, 2010 at 12:41 PM, Steve Howes <[email protected]> wrote: > Hi, > > Given the recent increase in SIP brute force attacks, I've had a little idea. > > The standard scripts that block after X attempts work well to prevent you > actually being compromised, but once you've been 'found' then the attempts > seem to keep coming for quite some time. Older versions of sipvicious don't > appear to stop once you start sending un-reachables (or straight drops). Now > this isn't a problem for Asterisk, but it does add up in (noticeable) > bandwidth costs - and for people running on lower bandwidth connections. The > tool to crash sipvicious can help this, but very few attackers seem to obey > it.. > > The only way I can see to alleviate this, is to blacklist hows *before* they > attack. This means you wont ever be targeted past an initial scan. > > Is there any interest in a 'shared' blacklist (similar to spam blacklists, > but obviously implemented in a way that is more usable with > Asterisk/iptables)?. Clearly it raises issues about false positives etc, but > requiring reports from more than X hosts should alleviate this. There's all > the usual de-listing / false-listing worries as with any blacklist, but the > SMTP world has solutions we could learn from. > > Leaving a 'honeypot' running on a single IP address has revealed a few > hundred addresses in less than a month. I am fairly certain these are all > 'bad' as this host isn't used for anything else. There is obviously a wealth > of data (and attacks) out there that would be good to share. > > Anyone have any thoughts? > > S > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
