So I rebuilt/redesigned/re-deployed a script to add bad hosts to a blacklist. Script is monitoring my SBCs, hosted PBXs, etc., aggregated, sorted, then reported. Tried to remove duplicate addresses. Also, because I deal with forensics and malware, I did a similar script for bad sites that are serving out malware. For VoIP attacks, one can make a script to check for VoIP based attackers and block them on the fly. E.g,: links -dump twitter.com/efensive|awk '/VoIP/' To make say an automated ipfilter rule: links -dump twitter.com/efensive |\ awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\ sh Same goes for any other style rule (ASA, PIX, ScreenOS on the command line) You get the point. Enjoy. (Cross posted to Voice Ops) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Hi This is nice. We publish similar data for honeypot attacks which might be useful to someone: http://mirror.simwood.com/honeypot/ There's a major caveat with any data like this though when automating and that is the potential to spoof addresses or use well known addresses on their behalf. There's one simple attack for example that attempts to dictionary attack admin pages uses Google crawlers. cheers Simon On 9 January 2013 19:08, J. Oquendo <sil at infiltrated.net> wrote:
So I rebuilt/redesigned/re-deployed a script to add bad hosts to a blacklist. Script is monitoring my SBCs, hosted PBXs, etc., aggregated, sorted, then reported. Tried to remove duplicate addresses. Also, because I deal with forensics and malware, I did a similar script for bad sites that are serving out malware.
For VoIP attacks, one can make a script to check for VoIP based attackers and block them on the fly. E.g,:
links -dump twitter.com/efensive|awk '/VoIP/'
To make say an automated ipfilter rule:
links -dump twitter.com/efensive |\ awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\ sh
Same goes for any other style rule (ASA, PIX, ScreenOS on the command line) You get the point. Enjoy. (Cross posted to Voice Ops)
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
-- -- "Here?s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They?re not fond of rules. And they have no respect for the status quo.You can quote them, disagree with them, glorify or vilify them. About the only thing you can?t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do." Steve Jobs, Think Different<http://www.youtube.com/watch?feature=player_embedded&v=8rwsuXHA7RA> *** Simon Woodhead FCSI Managing Director <http://www.simwood.com> Simwood eSMS Limited Wholesale Telecommunications w: http://www.simwood.com t: @simwoodesms <https://twitter.com/#!/simwoodesms> direct line: +44 (0) 29 2120 2121 direct fax: +44 (0) 29 2120 2021 reception: +44 (0) 29 2120 2120 main fax: +44 (0) 29 2120 2020 -- ***** Email confidentiality notice ***** This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Simwood eSMS Limited is a limited company registered in England and Wales. Registered number: 03379831. Registered office: c/o HW Chartered Accountants, Keepers Lane, The Wergs, Wolverhampton, WV6 8UA. Trading address: Falcon Drive, Cardiff Bay, Cardiff, CF10 4RU.
Hi all, thanks for this blacklist-idea. We (institute of telecommunication, VUT) worked a few years ago on a similar topic. We solved the IP blocking by using the DNS Blacklist approach like the antispam-blacklist services (e.g., http://www.dnsbl.manitu.net/?language=en). The technical realisation was suprisingly simple: There is a mysql backend for the BIND DNS server (http://mysql-bind.sourceforge.net/) . Our honeypot approach took the source IP and the IP in the conact header (if not from a private subnet) and added it to this BIND backend DB (together with a timestamp). The timestamp is updated every time a entry is renewed. Triggered by a cron-job, we started a cleanup-script which removed all entries with a timestamp older than two days. Creating DNSBL-lookup modules for openser/opensip/... and asterisk were also simple. HTH :) br Michael Am 09.01.2013 21:23, schrieb Simon Woodhead:
Hi
This is nice.
We publish similar data for honeypot attacks which might be useful to someone: http://mirror.simwood.com/honeypot/
There's a major caveat with any data like this though when automating and that is the potential to spoof addresses or use well known addresses on their behalf. There's one simple attack for example that attempts to dictionary attack admin pages uses Google crawlers.
cheers Simon
On 9 January 2013 19:08, J. Oquendo <sil at infiltrated.net <mailto:sil at infiltrated.net>> wrote:
So I rebuilt/redesigned/re-deployed a script to add bad hosts to a blacklist. Script is monitoring my SBCs, hosted PBXs, etc., aggregated, sorted, then reported. Tried to remove duplicate addresses. Also, because I deal with forensics and malware, I did a similar script for bad sites that are serving out malware.
For VoIP attacks, one can make a script to check for VoIP based attackers and block them on the fly. E.g,:
links -dump twitter.com/efensive|awk <http://twitter.com/efensive|awk> '/VoIP/'
To make say an automated ipfilter rule:
links -dump twitter.com/efensive <http://twitter.com/efensive> |\ awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\ sh
Same goes for any other style rule (ASA, PIX, ScreenOS on the command line) You get the point. Enjoy. (Cross posted to Voice Ops)
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
-- --
"Here?s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They?re not fond of rules. And they have no respect for the status quo.You can quote them, disagree with them, glorify or vilify them. About the only thing you can?t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do."
Steve Jobs, Think Different <http://www.youtube.com/watch?feature=player_embedded&v=8rwsuXHA7RA>
***
Simon Woodhead FCSI Managing Director <http://www.simwood.com> Simwood eSMS Limited Wholesale Telecommunications
w: http://www.simwood.com t: @simwoodesms <https://twitter.com/#!/simwoodesms>
direct line: +44 (0) 29 2120 2121 direct fax: +44 (0) 29 2120 2021
reception: +44 (0) 29 2120 2120 main fax: +44 (0) 29 2120 2020
-- ***** Email confidentiality notice *****
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Simwood eSMS Limited is a limited company registered in England and Wales. Registered number: 03379831. Registered office: c/o HW Chartered Accountants, Keepers Lane, The Wergs, Wolverhampton, WV6 8UA. Trading address: Falcon Drive, Cardiff Bay, Cardiff, CF10 4RU.
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
This is interesting, using twitter as a blacklist distribution mechanism. While I would be weary of using this for any kind of automated blocking purposes due to the possibility of spoofed addresses, it is an interesting approach for sure. I wonder if its worthwhile putting together a similar twitter watchlist for fraudulent international numbers (IRSF destinations). I know i can produce a pretty significant list of IRSF destinations that others may find useful and i am sure the reverse is also true. On 01/09/2013 11:08 AM, J. Oquendo wrote:
So I rebuilt/redesigned/re-deployed a script to add bad hosts to a blacklist. Script is monitoring my SBCs, hosted PBXs, etc., aggregated, sorted, then reported. Tried to remove duplicate addresses. Also, because I deal with forensics and malware, I did a similar script for bad sites that are serving out malware.
For VoIP attacks, one can make a script to check for VoIP based attackers and block them on the fly. E.g,:
links -dump twitter.com/efensive|awk '/VoIP/'
To make say an automated ipfilter rule:
links -dump twitter.com/efensive |\ awk '{print "iptables -A INPUT -s "$1" -j DROP"}' |sort -u|\ sh
Same goes for any other style rule (ASA, PIX, ScreenOS on the command line) You get the point. Enjoy. (Cross posted to Voice Ops)
participants (4)
-
ryandelgrosso@gmail.com -
sil@infiltrated.net -
simon.woodhead@simwood.com -
sipp@hirschbichler.biz