[Freeswitch-users] No failure messages in log during SIPVicious attack

Steven Ayre steveayre at gmail.com
Fri Mar 22 11:16:41 MSK 2013 

Not that weird at all... this was probably not a targeted attack. There are
botnets that do nothing other than crawling through all possible IP
addresses looking for SIP servers and when they find one making various
dial attempts to see if it's insecure.

Answering the call will probably do nothing other than appear that the call
'worked' (they'll not be at MS or listening to media so will only know it
rang / was answered), putting you on a list and having them come back later
to try to make other calls.

-Steve



On 22 March 2013 05:00, PhilQ <philq at qsystemsengineering.com> wrote:

> Apparently the attacker finally decided that 150 tries every 10 hours would
> take too long and gave up, or iWeb finally took care of business.
>
> Here’s another interesting one though…  every 9 minutes and 15 seconds on
> the dot, there’s an invite from an IP in Russia that’s attempting to call
> the US toll free number for Microsoft PC Safety.  Weird.  The user agent
> string identifies it as Asterisk 1.6.2.  Perhaps we should redirect them to
> a recording which tells them how to use TollFreeGateway to complete the
> call.   :)
>
> FS console:
> 2013-03-22 00:15:18.178177 [NOTICE] switch_channel.c:976 New Channel
> sofia/internal/10186672723381 at 0.0.0.0:5060
> [059bb40d-33b4-4086-b456-6663f3ad2d6a]
> 2013-03-22 00:15:18.178177 [DEBUG] switch_core_session.c:975 Send signal
> sofia/internal/10186672723381 at 0.0.0.0:5060 [BREAK]
> 2013-03-22 00:15:18.178177 [DEBUG] switch_core_session.c:975 Send signal
> sofia/internal/10186672723381 at 0.0.0.0:5060 [BREAK]
> 2013-03-22 00:15:18.178177 [DEBUG] switch_core_state_machine.c:415
> (sofia/internal/10186672723381 at 0.0.0.0:5060) Running State Change CS_NEW
> 2013-03-22 00:15:18.178177 [DEBUG] switch_core_state_machine.c:433
> (sofia/internal/10186672723381 at 0.0.0.0:5060) State NEW
> 2013-03-22 00:15:18.210157 [DEBUG] sofia.c:7752 IP 93.170.130.201 Rejected
> by acl "domains". Falling back to Digest auth.
> 2013-03-22 00:15:18.210157 [DEBUG] switch_core_session.c:975 Send signal
> sofia/internal/10186672723381 at 0.0.0.0:5060 [BREAK]
> 2013-03-22 00:15:18.210157 [DEBUG] sofia.c:1730 detaching session
> 059bb40d-33b4-4086-b456-6663f3ad2d6a
> 2013-03-22 00:15:18.210157 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (INVITE) on sofia profile 'internal' for [018667272338 at xx.xx.xx.xx] from
> ip
> 93.170.130.201
> 2013-03-22 00:15:30.177999 [WARNING] switch_core_state_machine.c:514
> 059bb40d-33b4-4086-b456-6663f3ad2d6a
> sofia/internal/10186672723381 at 0.0.0.0:5060 Abandoned
> 2013-03-22 00:15:30.177999 [DEBUG] switch_channel.c:3011
> (sofia/internal/10186672723381 at 0.0.0.0:5060) Callstate Change DOWN ->
> HANGUP
> 2013-03-22 00:15:30.177999 [NOTICE] switch_core_state_machine.c:517 Hangup
> sofia/internal/10186672723381 at 0.0.0.0:5060 [CS_NEW] [WRONG_CALL_STATE]
> ...
>
> Tcpdump:
> [root at server log]# tcpdump -nnXSs 512 host 93.170.130.201
> tcpdump: WARNING: peth0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on peth0, link-type EN10MB (Ethernet), capture size 512 bytes
> 00:15:18.185048 IP 93.170.130.201.5060 > 192.168.1.6.5060: SIP, length: 466
>         0x0000:  4500 01ee 0000 4000 fc11 dadc 5daa 82c9  E..... at .....]...
>         0x0010:  c0a8 0106 13c4 13c4 01da 1ca1 494e 5649  ............INVI
>         0x0020:  5445 2073 6970 3a30 3138 3636 3732 3732  TE.sip:018667272
>         0x0030:  3333 3840 xxxx 2exx xxxx 2exx xx2e xxxx  338 at xx.xx.xx.xx
>         0x0040:  363a 3530 3630 2053 4950 2f32 2e30 0d0a  6:5060.SIP/2.0..
>         0x0050:  4361 6c6c 2d49 443a 2039 3831 3961 3362  Call-ID:.9819a3b
>         0x0060:  372d 3839 6535 2d34 6534 382d 3862 6630  7-89e5-4e48-8bf0
>         0x0070:  2d37 6139 3532 3266 6133 3362 300d 0a43  -7a9522fa33b0..C
>         0x0080:  5365 713a 2031 2049 4e56 4954 450d 0a56  Seq:.1.INVITE..V
>         0x0090:  6961 3a20 5349 502f 322e 302f 5544 5020  ia:.SIP/2.0/UDP.
>         0x00a0:  302e 302e 302e 303a 3530 3630 3b62 7261  0.0.0.0:5060;bra
>         0x00b0:  6e63 683d 7a39 6847 3462 4b2d 3831 3564  nch=z9hG4bK-815d
>         0x00c0:  3130 3633 6134 6631 3b72 706f 7274 0d0a  1063a4f1;rport..
>         0x00d0:  4672 6f6d 3a20 3c73 6970 3a31 3031 3836  From:.<sip:10186
>         0x00e0:  3637 3237 3233 3338 3140 302e 302e 302e  672723381 at 0.0.0.
>         0x00f0:  303a 3530 3630 3e3b 7461 673d 4e44 6469  0:5060>;tag=NDdi
>         0x0100:  4d7a 4531 4e7a 5178 4d32 4d30 4d44 4177  MzE1NzQxM2M0MDAw
>         0x0110:  4d44 5533 4154 4530 4f44 4d31 4e54 5934  MDU3ATE0ODM1NTY4
>         0x0120:  0d0a 546f 3a20 3c73 6970 3a30 3138 3636  ..To:.<sip:01866
>         0x0130:  3732 3732 3333 3840 xxxx 2exx xxxx 2exx  7272338 at xx.xx.x
>         0x0140:  xx2e xxxx xx3e 0d0a 436f 6e74 6163 743a  x.xx>..Contact:
>         0x0150:  2022 3130 3138 3636 3732 3732 3333 3831  ."10186672723381
>         0x0160:  2220 3c73 6970 3a31 3031 3836 3637 3237  ".<sip:101866727
>         0x0170:  3233 3338 3130 2e30 2e30 2e30 3a35 3036  233810.0.0.0:506
>         0x0180:  303b 7472 616e 7370 6f72 743d 7564 703e  0;transport=udp>
>         0x0190:  0d0a 4d61 782d 466f 7277 6172 6473 3a20  ..Max-Forwards:.
>         0x01a0:  3730 0d0a 5573 6572 2d41 6765 6e74 3a20  70..User-Agent:.
>         0x01b0:  4173 7465 7269 736b 2031 2e36 2e32 0d0a  Asterisk.1.6.2..
>         0x01c0:  4163 6365 7074 3a20 6170 706c 6963 6174  Accept:.applicat
>         0x01d0:  696f 6e2f 7364 700d 0a43 6f6e 7465 6e74  ion/sdp..Content
>         0x01e0:  2d4c 656e 6768 743a 2030 0d0a 0d0a       -Lenght:.0....
>
>
>
>
>
> --
> View this message in context:
> http://freeswitch-users.2379917.n2.nabble.com/No-failure-messages-in-log-during-SIPVicious-attack-tp7588841p7588932.html
> Sent from the freeswitch-users mailing list archive at Nabble.com.
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130322/43f651ca/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list