Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner" -- But we also know that the SIPvicious user population is getting more sophisticated. -- At our clients, they've slowed their scanning rate so they're not longer causing overload attacks. -- It's just a matter of time before they remove the string "friendly-scanner" from their SIP messages. mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey On May 18, 2011, at 12:46 PM, Alex Balashov wrote:
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly-scanner' -j DROP
On 05/18/2011 12:42 PM, Spencer wrote:
I'm not sure what your requirements are but, we recently blocked all non-ARIN IP space from reaching our registrars. We had something similar happen and this has essentiallyeliminated the fraudulent calls we saw.
Thanks, Spencer
------------------------------------------------------------------------ Message: 1 Date: Tue, 17 May 2011 15:53:15 -0700 From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>" <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>> Subject: [VoiceOps] Fraud fun Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>> Content-Type: text/plain; charset="us-ascii"
Hi folks, We have been hit twice in the past two days with calls to 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is from Pakistan)
It's the same user each time, I think he had a weak password, but it cost us over $100, which isn't too bad (we catch it quick) but I'd like to get it closer to $0. :-)
Any good recommendations for IP ranges to block from incoming connections?
Thanks,
Darren Schreiber CEO / Co-Founder
2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/> sip:darren at 2600hz.com <mailto:darren at 2600hz.com> tel:415-886-7901