[asterisk-users] Hacking attempt, Asterisk 1.4

Thu, 20 Feb 2014 03:28:23 -0800 

Hi all

 

We have an Asterisk server that’s been running for a few years now without
problems. We have IPTables running, as well as fail2ban and have followed
all the security recommendations we have found.

 

Every few weeks we get an attack that lasts about a minute or two, resulting
in our AGI script being overloaded. 

 

What happens is that somebody seems to be trying to connect from our server
– in my cdrs log I can see that they use a four digit number for source,
destination and caller id, e.g.

 

clid: 7321

src: 7321

dst: 7321

channel: SIP/xx.xx.xx.xx-aaaaaaaa

 

xx.xx.xx.xx is our server IP. When one of our registered users makes a call
the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP user ID.

 

So it looks like a SIP phone trying to call itself, using our Asterisk
server IP as SIP user name.

 

Within a couple of minutes the attacker seems to go through some 10000
attempts, resulting in our AGI script collapsing from the load. My Asterisk
full log shows something like:

 

    -- Executing [7321@sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new
stack

    -- Executing [7321@sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi://
xx.xx.xx.xx ") in new stack

    -- Executing [7321@sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in
new stack

  == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx
-b6130f70'

       > cdr_odbc: Query Successful!

    -- AGI Script agi:// xx.xx.xx.xx completed, returning 0

 

Our AGI script refuses to call “illegal” numbers, while our Asterisk
dialplan is a bit more accommodating, mostly because I have had problems
figuring out the order in which to put the various rules (I might have
another look at that!)

 

Does anybody know how to stop this from happening – I can’t find the
attackers IP number in my logs, and these attacks happen infrequently, and
are over quickly, so that I haven’t had an opportunity to run sip debug
during an attack, and I don’t want to have it running all the time.

 

Best regards

 

Binni

 

Brynjólfur Þorvarðsson

IT Consultant

Tlf. +45 88321688

 


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to