On 10/15/10 6:52 AM, Tony Graziano wrote:
I am hardened and had no issues. I just found the fact that it is a real
domain with sip on a subdomain that is not published ANYWHERE until a few
hours before the attack, which was very limited since I had cps throttled in
a way that Mitigated it gracefully, which was all in another post.
I would love to get those patches that allow me to use a different port
for sip url calls!
No, it doesn't solve the problem, but will cut down on it.
Your firewall can 'tarpit' anyone (except your ITSP) who hits port 5060
once you have the ports swapped.
Tarpitting can effectively slow the attack down, limiting the bandwidth
the attacker can use.
Another idea taken from anti-spam systems is the concept of a 'siptrap'
(like a spam trap). Someone hits sip:[email protected] and our sip
system 'pretends' to talk to him.
We might start reporting these ip addresses to dshield.org. The
combination of posts here, and data collected by dshield.org assisted a
couple of security researchers in justifying tracking the Amazon EC2
Cloud ip addresses which were extensively used in sipvicious attacks a
while back. Amazon saw the correlation and put measures in place to
stop the abuse of their network. (I wonder: someone uses the Amazon
cloud to look for open sip servers in order to commit toll fraud.. I but
they used their own credit card to pay for you, what do you think?)
Anyway, a collective way to track and maybe block these folks who are
doing this would add to a 'defense in depth' approach to the problem.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
