The timing of your email as well as a couple of seemingly unrelated
things that I have heard about make me think this might be related to
some large toll fraud scheme.
Today I heard from someone who says Verizon is telling them they see
about 700 calls per hour to Cuba originating from their PRI.
Managed to get to the bottom of it, and it was indeed a SIP User-Agent
brute-force attempt. Interestingly, though, that your mail mentions
specifically verizon... the majority of the remote addresses during this
brute-force attempt were also behind verizon... coincidence?
Hmm..
Regards,
ACL's at the perimeter and/or on the gateways might help
Thanks,
Mike Goldman
-Original Message-
From: Leland E. Vandervort [mailto:lel...@taranta.discpro.org]
Sent: Wednesday, April 15, 2009 11:39 AM
To: Dane
Cc: nanog@nanog.org
Subject: Re: SIP - perhaps botnet? anyone else seeing
On Wed, Apr 15, 2009 at 11:35:43AM -0500, Dane wrote:
Today I heard from someone who says Verizon is telling them they see
about 700 calls per hour to Cuba originating from their PRI.
Obviously some type of toll fraud.
In the same way that it's possible to configure a mail relay as a
device
On Fri, 10 Apr 2009 10:20:35 + (GMT)
Leland E. Vandervort lel...@taranta.discpro.org wrote:
On Fri, 10 Apr 2009, Roland Dobbins wrote:
IANAL, but I suggest you check again with your legal department - I
doubt this is actually the case (your jurisdiction may vary, but in
most
Hi All,
Over the past couple of days we have been seeing an exponential increase
(about 200-fold)
in the amount of UDP SIP Control traffic in our netflow data. The past 24
hours, for example, has shown a total of nearly 300 GB of this traffic
incoming and over 400 GB outgoing -- this despite
Legally speaking, we can't grab packets in this sense without a specific
validated complaint, court orders, and that kind of thing... So all we
can do in the the absence of a specific complaint is in the context of our
day to day traffic analysis from the netflow data to identify anomalies..
On Apr 10, 2009, at 4:45 PM, Leland E. Vandervort wrote:
UDP SIP Control traffic in our netflow data.
Have you grabbed some packets in order to ensure it's actually SIP,
vs. something else on the same ports?
If it really is SIP-related, this could be caused by botted hosts
launching a
On Apr 10, 2009, at 5:32 PM, Leland E. Vandervort wrote:
legally speaking, we can't grab packets in this sense without a
specific
validated complaint, court orders, and that kind of thing...
IANAL, but I suggest you check again with your legal department - I
doubt this is actually the
On Fri, 10 Apr 2009, Roland Dobbins wrote:
IANAL, but I suggest you check again with your legal department - I
doubt this is actually the case (your jurisdiction may vary, but in
most Western nations, you can grab packets for diagnostic/
troubleshooting/forensics purposes).
Already did
to answer your question, as opposed to telling you how to run your
business, yes. we are seeing a low level, distributed source, sip
probing across a wide swath of target space. it goes back a long time.
randy
11 matches
Mail list logo
