date:20171230

Re: [asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

2017-12-30 Thread Dovid Bender

Script kiddies trying to find vulnerable systems that they can make calls
on. Lock down the box with iptables and use fail2ban to block them. The via
is probably bogus unless a box at the DoD was comprimised.



On Sat, Dec 30, 2017 at 6:49 PM, sean darcy  wrote:

> I've been getting a lot of timeouts on non-critical invite transactions. I
> turned on sip debug. They were the result of SIP invites like this:
>
> Retransmitting #10 (NAT) to 185.107.94.10:13057:
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP 215.45.145.211:5060;branch=z9h
> G4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
> From: ;tag=fptfih1e
> To: ;tag=as2913c67b
> Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
> CSeq: 1 INVITE
> Server: Asterisk PBX 13.19.0-rc1
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
> PUBLISH, MESSAGE
> Supported: replaces, timer
> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
> nonce="14be1363"
> Content-Length: 0
>
> ---
>  WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout
> reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 (Non-critical
> Response) -- See https://wiki.asterisk.org/wiki
> /display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
>  WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on
> 5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.
>
> Looking up the ip addresses :
>
> whois 185.107.94.10
> .
> inetnum:185.107.94.0 - 185.107.94.255
> netname:NFORCE_ENTERTAINMENT
> descr:  Serverhosting
> ..
> organisation:   ORG-NE3-RIPE
> org-name:   NForce Entertainment B.V.
> org-type:   LIR
> address:Postbus 1142
> address:4700BC
> address:Roosendaal
> address:NETHERLANDS
> phone:  +31206919299
> ...
>
> whois 215.45.145.211
> .
> NetRange:   215.0.0.0 - 215.255.255.255
> CIDR:   215.0.0.0/8
> NetName:DNIC-NET-215
> NetHandle:  NET-215-0-0-0-1
> Parent:  ()
> NetType:Direct Assignment
> OriginAS:
> Organization:   DoD Network Information Center (DNIC)
> RegDate:1998-06-04
> Updated:2011-06-21
> Ref:https://whois.arin.net/rest/net/NET-215-0-0-0-1
>
>
>
> OrgName:DoD Network Information Center
> OrgId:  DNIC
> Address:3990 E. Broad Street
> City:   Columbus
> StateProv:  OH
>
> So how is someone on a Dutch ISP using my server to mess with a US DoD ip
> address ?
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>  https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

2017-12-30 Thread Antony Stone

On Sunday 31 December 2017 at 00:49:17, sean darcy wrote:

> I've been getting a lot of timeouts on non-critical invite transactions.

> So how is someone on a Dutch ISP using my server to mess with a US DoD
> ip address ?

What's your setting for "allowguest" (under [general]) in 
/etc/asterisk/sip.conf ?

What are your firewall rules for UDP 5060?

Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

2017-12-30 Thread sean darcy

I've been getting a lot of timeouts on non-critical invite transactions. 
I turned on sip debug. They were the result of SIP invites like this:


Retransmitting #10 (NAT) to 185.107.94.10:13057:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 
215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057

From: ;tag=fptfih1e
To: ;tag=as2913c67b
Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
CSeq: 1 INVITE
Server: Asterisk PBX 13.19.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, 
INFO, PUBLISH, MESSAGE

Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", 
nonce="14be1363"

Content-Length: 0

---
 WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout 
reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 
(Non-critical Response) -- See 
https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

Packet timed out after 32000ms with no response
 WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on 
5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.


Looking up the ip addresses :

whois 185.107.94.10
.
inetnum:185.107.94.0 - 185.107.94.255
netname:NFORCE_ENTERTAINMENT
descr:  Serverhosting
..
organisation:   ORG-NE3-RIPE
org-name:   NForce Entertainment B.V.
org-type:   LIR
address:Postbus 1142
address:4700BC
address:Roosendaal
address:NETHERLANDS
phone:  +31206919299
...

whois 215.45.145.211
.
NetRange:   215.0.0.0 - 215.255.255.255
CIDR:   215.0.0.0/8
NetName:DNIC-NET-215
NetHandle:  NET-215-0-0-0-1
Parent:  ()
NetType:Direct Assignment
OriginAS:
Organization:   DoD Network Information Center (DNIC)
RegDate:1998-06-04
Updated:2011-06-21
Ref:https://whois.arin.net/rest/net/NET-215-0-0-0-1



OrgName:DoD Network Information Center
OrgId:  DNIC
Address:3990 E. Broad Street
City:   Columbus
StateProv:  OH

So how is someone on a Dutch ISP using my server to mess with a US DoD 
ip address ?



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

Re: [asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

3 matches

Site Navigation

Mail list logo

Footer information