-- It's just a matter of time before they remove the string "friendly- scanner" from their SIP messages.
They already have - I saw it at my previous employer. They changed the UA string to "suny" or "sunny", maybe "happy" something or other, don't remember the exact string and have no access to the systems any more. I am surprised no one else has seen it??? Robert Dawson
-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops- bounces at voiceops.org] On Behalf Of Mark R Lindsey Sent: Wednesday, May 18, 2011 1:35 PM To: Alex Balashov Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Fraud fun
Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner" --
But we also know that the SIPvicious user population is getting more sophisticated.
-- At our clients, they've slowed their scanning rate so they're not longer causing overload attacks.
-- It's just a matter of time before they remove the string "friendly- scanner" from their SIP messages.
mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey
On May 18, 2011, at 12:46 PM, Alex Balashov wrote:
Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly- scanner' -j DROP
On 05/18/2011 12:42 PM, Spencer wrote:
I'm not sure what your requirements are but, we recently blocked all non-ARIN IP space from reaching our registrars. We had something similar happen and this has essentiallyeliminated the fraudulent calls we saw.
Thanks, Spencer
--------------------------------------------------------------------
Message: 1 Date: Tue, 17 May 2011 15:53:15 -0700 From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>" <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>> Subject: [VoiceOps] Fraud fun Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>> Content-Type: text/plain; charset="us-ascii"
Hi folks, We have been hit twice in the past two days with calls to 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is from Pakistan)
It's the same user each time, I think he had a weak password, but it cost us over $100, which isn't too bad (we catch it quick) but I'd like to get it closer to $0. :-)
Any good recommendations for IP ranges to block from incoming connections?
Thanks,
Darren Schreiber CEO / Co-Founder
2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/> sip:darren at 2600hz.com <mailto:darren at 2600hz.com> tel:415-886-7901