Re: [WISPA] port 5060 relaying attack?
Ok I was just looking at my firewall rules. I have a rule that was instead of dropping blacklisted IPs it was tarpitting them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havnt had the problem since. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _ From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 09, 2010 6:13 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _ From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Cameron Crum Sent: Friday, October 08, 2010 3:09 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
...delays incoming connections for as long as possible. http://en.wikipedia.org/wiki/Tarpit_%28networking%29 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 10:35 AM, Kurt Fankhauser k...@wavelinc.com wrote: Ok I was just looking at my firewall rules. I have a rule that was instead of “dropping” blacklisted IP’s it was “tarpitting” them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havn’t had the problem since. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Saturday, October 09, 2010 6:13 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Cameron Crum *Sent:* Friday, October 08, 2010 3:09 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org
Re: [WISPA] port 5060 relaying attack?
Was hoping you'd chime in Josh :) On Mon, Oct 11, 2010 at 10:37 AM, Josh Luthman j...@imaginenetworksllc.comwrote: ...delays incoming connections for as long as possible. http://en.wikipedia.org/wiki/Tarpit_%28networking%29 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 10:35 AM, Kurt Fankhauser k...@wavelinc.comwrote: Ok I was just looking at my firewall rules. I have a rule that was instead of “dropping” blacklisted IP’s it was “tarpitting” them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havn’t had the problem since. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Saturday, October 09, 2010 6:13 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Cameron Crum *Sent:* Friday, October 08, 2010 3:09 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless
Re: [WISPA] port 5060 relaying attack?
I am being sneaky sneaky sir =) You can probably just drop all 5060/tcp input forever as I seriously doubt your Mikrotik is a SIP gateway. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 4:03 PM, RickG rgunder...@gmail.com wrote: Was hoping you'd chime in Josh :) On Mon, Oct 11, 2010 at 10:37 AM, Josh Luthman j...@imaginenetworksllc.com wrote: ...delays incoming connections for as long as possible. http://en.wikipedia.org/wiki/Tarpit_%28networking%29 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 10:35 AM, Kurt Fankhauser k...@wavelinc.comwrote: Ok I was just looking at my firewall rules. I have a rule that was instead of “dropping” blacklisted IP’s it was “tarpitting” them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havn’t had the problem since. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Saturday, October 09, 2010 6:13 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Cameron Crum *Sent:* Friday, October 08, 2010 3:09 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant WISPA Wants You! Join today! http://signup.wispa.org
Re: [WISPA] port 5060 relaying attack?
Amen on both counts :) On Mon, Oct 11, 2010 at 4:08 PM, Josh Luthman j...@imaginenetworksllc.comwrote: I am being sneaky sneaky sir =) You can probably just drop all 5060/tcp input forever as I seriously doubt your Mikrotik is a SIP gateway. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 4:03 PM, RickG rgunder...@gmail.com wrote: Was hoping you'd chime in Josh :) On Mon, Oct 11, 2010 at 10:37 AM, Josh Luthman j...@imaginenetworksllc.com wrote: ...delays incoming connections for as long as possible. http://en.wikipedia.org/wiki/Tarpit_%28networking%29 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 10:35 AM, Kurt Fankhauser k...@wavelinc.comwrote: Ok I was just looking at my firewall rules. I have a rule that was instead of “dropping” blacklisted IP’s it was “tarpitting” them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havn’t had the problem since. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *RickG *Sent:* Saturday, October 09, 2010 6:13 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Cameron Crum *Sent:* Friday, October 08, 2010 3:09 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant
Re: [WISPA] port 5060 relaying attack?
For now what Ive done is I blocked input port 5060 and on forward if anyone trys to access port 5060 it adds them to a Blacklist for blocked IPs. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _ From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Josh Luthman Sent: Monday, October 11, 2010 4:09 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? I am being sneaky sneaky sir =) You can probably just drop all 5060/tcp input forever as I seriously doubt your Mikrotik is a SIP gateway. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 4:03 PM, RickG rgunder...@gmail.com wrote: Was hoping you'd chime in Josh :) On Mon, Oct 11, 2010 at 10:37 AM, Josh Luthman j...@imaginenetworksllc.com wrote: ...delays incoming connections for as long as possible. http://en.wikipedia.org/wiki/Tarpit_%28networking%29 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 10:35 AM, Kurt Fankhauser k...@wavelinc.com wrote: Ok I was just looking at my firewall rules. I have a rule that was instead of dropping blacklisted IPs it was tarpitting them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havnt had the problem since. Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _ From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Saturday, October 09, 2010 6:13 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _ From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Cameron Crum Sent: Friday, October 08, 2010 3:09 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de
Re: [WISPA] port 5060 relaying attack?
Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Cameron Crum *Sent:* Friday, October 08, 2010 3:09 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos gustkil...@gmail.com wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser k...@wavelinc.com I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 -- *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On Behalf Of *Cameron Crum *Sent:* Friday, October 08, 2010 3:09 PM *To:* WISPA General List *Subject:* Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
http://www.e-c-group.com/news/2010-06-02-sip-registration-attacks/ http://www.freepbx.org/forum/freepbx/users/security-alert-is-port-5060-open-on-your-router Jim Patient Cell: 314-565-6863 Desk: 636-692-4200 YIM: jeffcosoho www.wlan1.com www.linktechs.net www.wifimidwest.com On 10/8/2010 2:09 PM, Cameron Crum wrote: Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com mailto:rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com mailto:k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com http://www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org mailto:wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org mailto:wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _ From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Cameron Crum Sent: Friday, October 08, 2010 3:09 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG rgunder...@gmail.com wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
Sounds like a SIP DOS or possibly brute-force attack. We get them from time to time. On Thu, Oct 7, 2010 at 3:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
Saw this happen many times when time Warner was here. When they left and it changed to comcast I have not experienced it since. Plays hell on voip calls. Not saying they are initiating it but they sure don't do much to stop it. Sent from my iPhone4 On Oct 7, 2010, at 3:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com attack1.JPG attack2.JPG WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] port 5060 relaying attack?
I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser k...@wavelinc.com wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
