Has anybody noticed any SIP attacks coming in from 217.23.0.125 or other IPs the profile of the attack was basically a scan of every ip on several of my segments at port 5060 the packets were all fragmented into approx 8.7k worth of data. unfortunately I don't have any sniffer captures of what they were trying to do. anybody else seeing anything like this lately? -J
On Aug 19, 2009, at 4:31 PM, Jason Vanick wrote:
Has anybody noticed any SIP attacks coming in from 217.23.0.125 or other IPs
the profile of the attack was basically a scan of every ip on several of my segments at port 5060 the packets were all fragmented into approx 8.7k worth of data.
unfortunately I don't have any sniffer captures of what they were trying to do.
anybody else seeing anything like this lately?
-J
While this is not quite enough data to go on, I'd say you're experiencing Part I of III of the SIPvicious attack process (scan for SIP, scan for valid UIDs, brute force passwords.) Other tools which may be attacking you: http://www.voipsa.org/Resources/tools.php Protection methods are of course at your discretion, but sane IP filtering is a good first choice (if possible) layered on top of a good username scheme, layered on top of strict password enforcement. Additionally, others have had some luck building dynamic filters based on tripwire criteria such as broad sweeps of your IP space. JT
participants (2)
-
jtodd@loligo.com -
jvanick@spruce.oaknet.com