Finally getting fed up with the bruteforcers so I decided to "out" upstreams and netblocks. Stay tuned. Maybe a VoIP based blacklist? Work in progress http://www.infiltrated.net/voipabuse/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Hi there, We're working on a more general "VoIP Toolbox" of sorts. I'd love to participate with your project as well - let me know if that's possible. Thanks, Darren Schreiber On Sep 20, 2010, at 7:57 AM, J. Oquendo wrote:
Finally getting fed up with the bruteforcers so I decided to "out" upstreams and netblocks. Stay tuned. Maybe a VoIP based blacklist? Work in progress
http://www.infiltrated.net/voipabuse/
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Darren Schreiber wrote:
Hi there, We're working on a more general "VoIP Toolbox" of sorts. I'd love to participate with your project as well - let me know if that's possible.
Thanks, Darren Schreiber
I would like for as many engineers/admins to participate. It's becoming cumbersome to deal with the ongoing attacks and for those who have NOT taken the time to notice, things are escalating. If anyone cares to send information please do so, the more logging information the better it would be. Because a situation like this (blacklisting) is built on a trust based relationship I ask the following: 1) Sanitize your networks for obvious reasons. 2) Gzip/zip/7zip your files when you send them. 3) Please make sure any visible offender information is visible. I will not repost any companies or individuals who submit any logs unless someone requests for me to do so. This keeps someone from being attacked in retaliation. Right now I have to parse out about 40-50 different logfiles spread across a lot of networks. I'm doing so gradually as time progresses through the day. I added a PGP key to the page in the event someone wants to encrypt their messages as well. My ultimate goal is simple: Reduce the potential attackers, make network operators clean up their house if not, stay on a blacklist. When their clients complain and it starts affecting their pockets, maybe then will they get a clue. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Hello, I find a blacklist too heavy to manage and unable to catch the fast emerging bruteforcers. As freelancer I suggest to my clients (all on Linux with Asterisk) the install of the fail2ban software. The working of fail2ban software is really simple: it reads the messages generated by the application and if one user try to authenticate with wrong credentials more than X times in the unit of time, then triggers an insert into iptables to not get more packets from him for a long time (adjustable). Leandro 2010/9/20 J. Oquendo <sil at infiltrated.net>
Darren Schreiber wrote:
Hi there, We're working on a more general "VoIP Toolbox" of sorts. I'd love to participate with your project as well - let me know if that's possible.
Thanks, Darren Schreiber
I would like for as many engineers/admins to participate. It's becoming cumbersome to deal with the ongoing attacks and for those who have NOT taken the time to notice, things are escalating.
If anyone cares to send information please do so, the more logging information the better it would be. Because a situation like this (blacklisting) is built on a trust based relationship I ask the following: 1) Sanitize your networks for obvious reasons. 2) Gzip/zip/7zip your files when you send them. 3) Please make sure any visible offender information is visible.
I will not repost any companies or individuals who submit any logs unless someone requests for me to do so. This keeps someone from being attacked in retaliation. Right now I have to parse out about 40-50 different logfiles spread across a lot of networks. I'm doing so gradually as time progresses through the day. I added a PGP key to the page in the event someone wants to encrypt their messages as well.
My ultimate goal is simple: Reduce the potential attackers, make network operators clean up their house if not, stay on a blacklist. When their clients complain and it starts affecting their pockets, maybe then will they get a clue.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Leandro Dardini wrote:
Hello, I find a blacklist too heavy to manage and unable to catch the fast emerging bruteforcers. As freelancer I suggest to my clients (all on Linux with Asterisk) the install of the fail2ban software.
The working of fail2ban software is really simple: it reads the messages generated by the application and if one user try to authenticate with wrong credentials more than X times in the unit of time, then triggers an insert into iptables to not get more packets from him for a long time (adjustable).
Leandro
Understood on fail2ban however, I can use fail2ban against you and have your own servers block their upstream. Fail2Ban "fails" when you're in a managed PBX arena and your clients are connecting from all over the place. When you have thousands of customers and some are connecting from all over the place, fiddling with Softphones, settings in Snom, Polycom, etc., you will quickly learn that Fail2Ban outright fails. While a blacklist CAN be cumbersome, this isn't like spam where there are millions of hosts attempting this per day. At maximum, I've seen about 15-20 hosts attacking one PBX. It will take me about 20-30 minutes to whip up a python or shell script to parse them out and upload them. I already have my honeypot writing to DB, all I have to do is re-write to gzip and send the full logs. The hard part is writing an informative email someone will likely never read (abuse departments). Last thing I want to hear is "you're not playing fair" when their clients complain. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Well more importantly, VoIP spam is going to grow. Might as well hit the nail on the head now. Most of our customers want to be able to travel and still use their devices, so this type of blacklist is particularly useful for us. On Sep 20, 2010, at 8:55 AM, J. Oquendo wrote:
Darren Schreiber wrote:
Hi there, We're working on a more general "VoIP Toolbox" of sorts. I'd love to participate with your project as well - let me know if that's possible.
Thanks, Darren Schreiber
I would like for as many engineers/admins to participate. It's becoming cumbersome to deal with the ongoing attacks and for those who have NOT taken the time to notice, things are escalating.
If anyone cares to send information please do so, the more logging information the better it would be. Because a situation like this (blacklisting) is built on a trust based relationship I ask the following: 1) Sanitize your networks for obvious reasons. 2) Gzip/zip/7zip your files when you send them. 3) Please make sure any visible offender information is visible.
I will not repost any companies or individuals who submit any logs unless someone requests for me to do so. This keeps someone from being attacked in retaliation. Right now I have to parse out about 40-50 different logfiles spread across a lot of networks. I'm doing so gradually as time progresses through the day. I added a PGP key to the page in the event someone wants to encrypt their messages as well.
My ultimate goal is simple: Reduce the potential attackers, make network operators clean up their house if not, stay on a blacklist. When their clients complain and it starts affecting their pockets, maybe then will they get a clue.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
We're all on the same side here, folks... David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Monday, September 20, 2010 7:57 AM To: voiceops at voiceops.org Subject: [VoiceOps] VoIP Abuse Project Finally getting fed up with the bruteforcers so I decided to "out" upstreams and netblocks. Stay tuned. Maybe a VoIP based blacklist? Work in progress http://www.infiltrated.net/voipabuse/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
We ARE on the same side. Us - legitimate admins/service providers Them - thieves and others trying to harm networks I can certainly agree on a project like what is being proposed. A 'spamhaus' for the VoIP world. We constantly face rouge PBXs hammering our network - and some sparingly exploiting some vulnerability the attacker was so nice to help us identify(while stealing service in the process). I agree with the idea that if the 'sip blacklist' blocks you, let the service provider answer those questions - just like service providers answer on email blacklists right now. Voice service providers keep blocking attackers, and they keep moving to the next victim. As a community, we should help stop this where ever possible. It would be great for a reliable and responsible group of admins to be able so share knowledge of those numbskulls and seal them out of our networks. Christian Pena Hiers, David wrote:
We're all on the same side here, folks...
David Hiers
CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277
-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Monday, September 20, 2010 7:57 AM To: voiceops at voiceops.org Subject: [VoiceOps] VoIP Abuse Project
Finally getting fed up with the bruteforcers so I decided to "out" upstreams and netblocks. Stay tuned. Maybe a VoIP based blacklist? Work in progress
Personally I think there is one thing that needs to get fixed which will probably resolve a lot of hijacked ext's. getting free pbx to require a difficult password for ext's. just my 2 cents. Carlos Alcantar Race Telecommunications, Inc. 101 Haskins Way South San Francisco, CA 94080 P: 415.376.3314 F: 650.649.3551 E: carlos at race.com -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Monday, September 20, 2010 7:57 AM To: voiceops at voiceops.org Subject: [VoiceOps] VoIP Abuse Project Finally getting fed up with the bruteforcers so I decided to "out" upstreams and netblocks. Stay tuned. Maybe a VoIP based blacklist? Work in progress http://www.infiltrated.net/voipabuse/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Anyone have any experience with this company for orgination/termination? Its my understanding that they are a consolidator with the ususal suspects under the hood. Please contact me off list. -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Carlos Alcantar Sent: Monday, September 20, 2010 2:15 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] VoIP Abuse Project Personally I think there is one thing that needs to get fixed which will probably resolve a lot of hijacked ext's. getting free pbx to require a difficult password for ext's. just my 2 cents. Carlos Alcantar Race Telecommunications, Inc. 101 Haskins Way South San Francisco, CA 94080 P: 415.376.3314 F: 650.649.3551 E: carlos at race.com -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Monday, September 20, 2010 7:57 AM To: voiceops at voiceops.org Subject: [VoiceOps] VoIP Abuse Project Finally getting fed up with the bruteforcers so I decided to "out" upstreams and netblocks. Stay tuned. Maybe a VoIP based blacklist? Work in progress http://www.infiltrated.net/voipabuse/ -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
participants (7)
-
carlos@race.com -
cpena@ststelecom.com -
d@d-man.org -
David_Hiers@adp.com -
ldardini@gmail.com -
Marty_Sorensen@adp.com -
sil@infiltrated.net