Richard Barnes wrote:
So, going back to your original question, the answer might not be "VoIP based botnet", but rather "VoIP targeted botnet" -- a botnet that's trying to brute-force passwords for access into a VoIP system.
So I wasn't the only one seeing this: http://www.stuartsheldon.org/blog/2010/11/sip-brute-force-attacks-escalate-o... Anyhow, yesterday one of my servers (count it ONE) was hit up over 1640+ attacks from a variety of different hosts. It's really not a big deal to see dozens, even a couple of hundred attacks hit a machine, but something definitely seems odd. I believe someone has either done one of the following: 1) Created a distributed "scanner slash bruteforcer" platform 2) Discovered a vulnerability in some VoIP based application 3) Created a VoIP based botnet #2 wouldn't make any sense because they wouldn't need to bruteforce. #1 Makes more sense because at certain points in time, multiple attacks are launched from different hosts with the numbers incremented with no host overlapping the other. #3 is another possibility - think "Crimepack" or some other exploit kit. Perhaps its time to work with vendors, RFC folk and others to find some mechanism to flag these attacks? I'm thinking of a variable to be inserted into a SIP message that says "oh no, not on my system you don't." While the VoIP Abuse Project is fun for me, there is no way I will be able to perform nslookups, detail the who's who for the vast majority of these hosts. Any suggestions? I could do something to the tune of: if $attacker shows_up_here then $post $attacker DATABASE & call DB_INFO from a webpage fi Where others can pull from whatever addresses are visible. This would apply to others who have their IP PBX's visible to the world for some reason or another. I'm still scratching my head as to what occurred yesterday though. On the above listed blog, some of the information differs as to what I see: 1) As many as 10 parallel scans started from different hosts using different ranges, e.g., 10.10.10.x, 10.20.20.x, 10.30.30.x would scan say accounts 1000-1999, 2000-2999, 3000-3999 and so on. 2) As many as 5 parallel scans would start bruteforcing accounts found, e.g., 10.10.10.x, 10.20.20.x, would start bruteforcing in parallel accounts 1012 and 2500. 3) My honeypots began blocking attacks and immediately after, another host would pick up where one left if. e.g., say if 10.10.10.x was scanning 1000-1999 and was firewalled at 1200, another address picked up the slack for 1201-1999 Right now, I haven't even parsed through the logs of my other servers as I'm playing catch-up with work. As it stands: http://www.infiltrated.net/voipabuse/logs/october2010.html October 31st was a strange day, but today is no different. As of this writing, since midnight there have been 609 attacks against one server and it seems some attackers are heavily fiddling with international dialing attempts (http://www.infiltrated.net/voipabuse/logs/): (Captured calls from my Asterisk based honeypot) $ tail -n 10 /usr/share/arcade-project/calls 001120161448455 10282010-16:34:10 - my.sanitized.address <guest> - SIP/guest-f56150f0 3320161448455 10282010-16:34:57 - my.sanitized.address <guest> - SIP/guest-f2f56c58 8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> - SIP/guest-f2f00018 19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> - SIP/guest-f6282eb8 19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> - SIP/guest-09dda5b8 01185099930015 11012010-15:19:09 - my.sanitized.address <guest> - SIP/guest-f62732e0 901185099930015 11012010-15:19:20 - my.sanitized.address <guest> - SIP/guest-f6231548 # grep 448455 /usr/share/arcade-project/calls 01120161448455 10212010-04:49:05 - my.sanitized.address <guest> - SIP/guest-09baa3a0 901120161448455 10212010-04:49:46 - my.sanitized.address <guest> - SIP/guest-09d20250 801120161448455 10212010-04:50:32 - my.sanitized.address <guest> - SIP/guest-09cf72a8 55520161448455 10212010-04:51:46 - my.sanitized.address <guest> - SIP/guest-09e900a0 801120161448455 10212010-04:52:14 - my.sanitized.address <guest> - SIP/guest-09e900a0 001120161448455 10282010-16:34:10 - my.sanitized.address <guest> - SIP/guest-f56150f0 3320161448455 10282010-16:34:57 - my.sanitized.address <guest> - SIP/guest-f2f56c58 8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> - SIP/guest-f2f00018 19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> - SIP/guest-f6282eb8 19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> - SIP/guest-09dda5b8 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E