[VOIPSEC] why are attackers so inefficient?
Olle E. Johansson
oej at edvina.net
Wed Mar 23 11:39:43 CDT 2011
23 mar 2011 kl. 17.23 skrev Klaus Darilion:
> I recently had this scan on my proxy:
>
> #
> U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1441214577;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 4215708921
> Max-Forwards: 70
>
>
> #
> U 2011/03/23 17:00:07.964580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-113964806;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3461115189
> Max-Forwards: 70
>
>
> #
> U 2011/03/23 17:00:07.972580 60.191.221.70:5143 -> xx.yy.xx.yy:5060
> REGISTER sip:xx.yy.xx.yy SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.1:5143;branch=z9hG4bK-1816496172;rport
> Content-Length: 0
> From: "5988" <sip:5988 at xx.yy.xx.yy>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:5988 at xx.yy.xx.yy>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 1573919667
> Max-Forwards: 70
>
>
> There where 200 requests per second, always the Fom/To, just the Callid
> differs. My proxy did not even respond to the requests. What's the use
> case of sending 200r/s with identical identity? Is this a bug in
> sipvicious or is the attacker just to stupid to use it correctly?
I had one case where I got REGISTER, actually answered with auth challenge and the attacker sent ACK. ..
In my case, I get attacks with different SIP URI's... Easy to block with fail2ban.
/O
More information about the Voipsec
mailing list