Sorry for the cross posting to two lists, but I thought everyone on both lists might benefit from the message(*cough*rambling*) So yesterday, I had a honeypot host "open to the world." Not one "block this country" rule on the machine. Normally throughout the past months I've seen maybe 1 or 2 attacks in parallel, but yesterday was different. I butchered up a perl script to block on the fly as opposed to blocking out entire countries and was surprised to see I managed to accumulate 1600+ hosts. Not *that* big of a deal until I started going through some of the logs... I'm a bit puzzled because I see hundreds of attacks in parallel (literally 100-200 connections from different netblocks at the same time) so I'm thinking... "VoIP Based Botnet?" Anyhow, still parsing through the wonderful bucketload of logs this morning. Anyone else see massive activity begininng 10/31? -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Could you say a little more about what this weird traffic was? Were these SIP messages? --Richard On Mon, Nov 1, 2010 at 11:01 AM, J. Oquendo <sil at infiltrated.net> wrote:
Sorry for the cross posting to two lists, but I thought everyone on both lists might benefit from the message(*cough*rambling*)
So yesterday, I had a honeypot host "open to the world." Not one "block this country" rule on the machine. Normally throughout the past months I've seen maybe 1 or 2 attacks in parallel, but yesterday was different. I butchered up a perl script to block on the fly as opposed to blocking out entire countries and was surprised to see I managed to accumulate 1600+ hosts. Not *that* big of a deal until I started going through some of the logs...
I'm a bit puzzled because I see hundreds of attacks in parallel (literally 100-200 connections from different netblocks at the same time) so I'm thinking... "VoIP Based Botnet?"
Anyhow, still parsing through the wonderful bucketload of logs this morning. Anyone else see massive activity begininng 10/31?
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA ?4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Richard Barnes wrote:
Could you say a little more about what this weird traffic was? Were these SIP messages? --Richard
Sorry, should have been more clear. These were SIP registrations + bruteforce attacks. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
So, going back to your original question, the answer might not be "VoIP based botnet", but rather "VoIP targeted botnet" -- a botnet that's trying to brute-force passwords for access into a VoIP system. On Mon, Nov 1, 2010 at 1:02 PM, J. Oquendo <sil at infiltrated.net> wrote:
Richard Barnes wrote:
Could you say a little more about what this weird traffic was? ?Were these SIP messages? --Richard
Sorry, should have been more clear. These were SIP registrations + bruteforce attacks.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA ?4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Richard Barnes wrote:
So, going back to your original question, the answer might not be "VoIP based botnet", but rather "VoIP targeted botnet" -- a botnet that's trying to brute-force passwords for access into a VoIP system.
So I wasn't the only one seeing this: http://www.stuartsheldon.org/blog/2010/11/sip-brute-force-attacks-escalate-o... Anyhow, yesterday one of my servers (count it ONE) was hit up over 1640+ attacks from a variety of different hosts. It's really not a big deal to see dozens, even a couple of hundred attacks hit a machine, but something definitely seems odd. I believe someone has either done one of the following: 1) Created a distributed "scanner slash bruteforcer" platform 2) Discovered a vulnerability in some VoIP based application 3) Created a VoIP based botnet #2 wouldn't make any sense because they wouldn't need to bruteforce. #1 Makes more sense because at certain points in time, multiple attacks are launched from different hosts with the numbers incremented with no host overlapping the other. #3 is another possibility - think "Crimepack" or some other exploit kit. Perhaps its time to work with vendors, RFC folk and others to find some mechanism to flag these attacks? I'm thinking of a variable to be inserted into a SIP message that says "oh no, not on my system you don't." While the VoIP Abuse Project is fun for me, there is no way I will be able to perform nslookups, detail the who's who for the vast majority of these hosts. Any suggestions? I could do something to the tune of: if $attacker shows_up_here then $post $attacker DATABASE & call DB_INFO from a webpage fi Where others can pull from whatever addresses are visible. This would apply to others who have their IP PBX's visible to the world for some reason or another. I'm still scratching my head as to what occurred yesterday though. On the above listed blog, some of the information differs as to what I see: 1) As many as 10 parallel scans started from different hosts using different ranges, e.g., 10.10.10.x, 10.20.20.x, 10.30.30.x would scan say accounts 1000-1999, 2000-2999, 3000-3999 and so on. 2) As many as 5 parallel scans would start bruteforcing accounts found, e.g., 10.10.10.x, 10.20.20.x, would start bruteforcing in parallel accounts 1012 and 2500. 3) My honeypots began blocking attacks and immediately after, another host would pick up where one left if. e.g., say if 10.10.10.x was scanning 1000-1999 and was firewalled at 1200, another address picked up the slack for 1201-1999 Right now, I haven't even parsed through the logs of my other servers as I'm playing catch-up with work. As it stands: http://www.infiltrated.net/voipabuse/logs/october2010.html October 31st was a strange day, but today is no different. As of this writing, since midnight there have been 609 attacks against one server and it seems some attackers are heavily fiddling with international dialing attempts (http://www.infiltrated.net/voipabuse/logs/): (Captured calls from my Asterisk based honeypot) $ tail -n 10 /usr/share/arcade-project/calls 001120161448455 10282010-16:34:10 - my.sanitized.address <guest> - SIP/guest-f56150f0 3320161448455 10282010-16:34:57 - my.sanitized.address <guest> - SIP/guest-f2f56c58 8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> - SIP/guest-f2f00018 19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> - SIP/guest-f6282eb8 19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> - SIP/guest-09dda5b8 01185099930015 11012010-15:19:09 - my.sanitized.address <guest> - SIP/guest-f62732e0 901185099930015 11012010-15:19:20 - my.sanitized.address <guest> - SIP/guest-f6231548 # grep 448455 /usr/share/arcade-project/calls 01120161448455 10212010-04:49:05 - my.sanitized.address <guest> - SIP/guest-09baa3a0 901120161448455 10212010-04:49:46 - my.sanitized.address <guest> - SIP/guest-09d20250 801120161448455 10212010-04:50:32 - my.sanitized.address <guest> - SIP/guest-09cf72a8 55520161448455 10212010-04:51:46 - my.sanitized.address <guest> - SIP/guest-09e900a0 801120161448455 10212010-04:52:14 - my.sanitized.address <guest> - SIP/guest-09e900a0 001120161448455 10282010-16:34:10 - my.sanitized.address <guest> - SIP/guest-f56150f0 3320161448455 10282010-16:34:57 - my.sanitized.address <guest> - SIP/guest-f2f56c58 8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> - SIP/guest-f2f00018 19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> - SIP/guest-f6282eb8 19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> - SIP/guest-09dda5b8 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
I saw an uptick over the weekend of brute force attacks against our asterisk boxes. Go fail2ban. Joseph On Mon, Nov 1, 2010 at 2:58 PM, Richard Barnes <richard.barnes at gmail.com> wrote:
So, going back to your original question, the answer might not be "VoIP based botnet", but rather "VoIP targeted botnet" -- a botnet that's trying to brute-force passwords for access into a VoIP system.
On Mon, Nov 1, 2010 at 1:02 PM, J. Oquendo <sil at infiltrated.net> wrote:
Richard Barnes wrote:
Could you say a little more about what this weird traffic was? ?Were these SIP messages? --Richard
Sorry, should have been more clear. These were SIP registrations + bruteforce attacks.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA ?4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
One of our large local customers here in Atlanta was hit with a brute-force and extremely intensive REGISTER scan late this morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in Argentina, 1 in Russia, and one other from the Philippines that I don't have on hand: 125.162.94.57 110.137.65.131 186.137.208.202 217.118.90.189 ... that we could identify. We don't know if they were part of a coordinated scan or just launched in parallel, but they were fairly sophisticated in that they detected the nomenclature and length assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized, I suppose) and zeroed in on those. No toll fraud took place, but they did take down several Asterisk processes due to Asterisk's inability to cope with this volume of requests. I would have put the intensity at about ~5-10 per second. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On 11/01/2010 04:28 PM, Alex Balashov wrote:
One of our large local customers here in Atlanta was hit with a brute-force and extremely intensive REGISTER scan late this morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in Argentina, 1 in Russia, and one other from the Philippines that I don't have on hand:
125.162.94.57 110.137.65.131 186.137.208.202 217.118.90.189
Oh yeah, and this one: 206.188.207.242 which was the source of the fastest, most resource-intensive probing. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
Here's the sources of attacks we saw yesterday 10/31/2010 200.100.188.84 187.41.94.187 76.109.93.166 189.71.49.199 190.205.19.188 189.27.111.3 187.58.95.250 190.253.175.237 On Mon, Nov 1, 2010 at 3:29 PM, Alex Balashov <abalashov at evaristesys.com> wrote:
On 11/01/2010 04:28 PM, Alex Balashov wrote:
One of our large local customers here in Atlanta was hit with a brute-force and extremely intensive REGISTER scan late this morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in Argentina, 1 in Russia, and one other from the Philippines that I don't have on hand:
125.162.94.57 110.137.65.131 186.137.208.202 217.118.90.189
Oh yeah, and this one:
? 206.188.207.242
which was the source of the fastest, most resource-intensive probing.
-- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Joseph Jackson wrote:
Here's the sources of attacks we saw yesterday 10/31/2010
200.100.188.84 187.41.94.187 76.109.93.166 189.71.49.199 190.205.19.188 189.27.111.3 187.58.95.250 190.253.175.237
My count is at 1664 for yesterday: # wget -qO - http://www.infiltrated.net/voipabuse/logs/october2010.html|awk '/Mass/{print $7}'|sed 's:.gz</a></td>::g'|wc -l 1664 Complete list: # wget -qO - http://www.infiltrated.net/voipabuse/logs/october2010.html|awk '/Mass/{print $7}'|sed 's:.gz</a></td>::g' -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Alex Balashov wrote:
One of our large local customers here in Atlanta was hit with a brute-force and extremely intensive REGISTER scan late this morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in Argentina, 1 in Russia, and one other from the Philippines that I don't have on hand:
125.162.94.57 110.137.65.131 186.137.208.202 217.118.90.189
... that we could identify. We don't know if they were part of a coordinated scan or just launched in parallel, but they were fairly sophisticated in that they detected the nomenclature and length assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized, I suppose) and zeroed in on those.
No toll fraud took place, but they did take down several Asterisk processes due to Asterisk's inability to cope with this volume of requests. I would have put the intensity at about ~5-10 per second.
None of those hosts are visible to me: # echo "125.162.94.57 110.137.65.131 186.137.208.202 217.118.90.189" | while read luzer ; do grep -c $luzer OCT ; done 0 0 0 0 Max connects I've seen in parallel so far, 11 addresses all scattered. Definitely a cut above the typical attack. I want to say someone/some_group is creating, has created or something is evolving. On the flip side, "from the rumor mill," someone told me that all the offending hosts seemed to be running an ftp server primarily on OpenBSD based machines. It is rumored that 5 machines out of 5 reverse-recon'd were OpenBSD boxes. Anyhow, if I had to parse together what I believe occurred is/was: Someone either created or is in the process of creating some form of C&C targeting IP PBX's which use SIP for registrations. Judging by the volume, the extensions/usernames targeted and the sources of the attack, they likely did some form of "parallel incrementing" recon and registration attempts (bruteforcing): "China you start with these extensions, Russia with these, Brazil with those and if someone gets blocked, then Poland pick it up, etc., etc." Who knows. What I DO KNOW is they're constantly fiddling with international numbers almost often to the same numbers. Even when they fail, they'll still come back a week or two later and try some new and (un)improved insertions to try and make calls. I DO KNOW factually, these endpoint numbers are in some shape form or fashion under their control. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Alex Balashov wrote:
... that we could identify. We don't know if they were part of a coordinated scan or just launched in parallel, but they were fairly sophisticated in that they detected the nomenclature and length assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized, I suppose) and zeroed in on those.
What is your methodology for naming SIP accounts? We've discovered that using something that is alpha followed by punctuation followed by a number results in zero successful name matches so far. I'm wondering what convention you use so I can think about whether we'd be vulnerable to the same discovery. When we put up simple numbers as a registration, we quickly get lots of attempts to brute force the password, often more than 5-10/second.
On 11/01/2010 05:13 PM, Carlos Alvarez wrote:
Alex Balashov wrote:
... that we could identify. We don't know if they were part of a coordinated scan or just launched in parallel, but they were fairly sophisticated in that they detected the nomenclature and length assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized, I suppose) and zeroed in on those.
What is your methodology for naming SIP accounts? We've discovered that using something that is alpha followed by punctuation followed by a number results in zero successful name matches so far. I'm wondering what convention you use so I can think about whether we'd be vulnerable to the same discovery. When we put up simple numbers as a registration, we quickly get lots of attempts to brute force the password, often more than 5-10/second.
4-digit extension numbers, but unfortunately it's not my methodology, it's the customer's. Not my choice. The passwords, however, are extremely strong. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
participants (5)
-
abalashov@evaristesys.com -
carlos@televolve.com -
recourse@gmail.com -
richard.barnes@gmail.com -
sil@infiltrated.net