[Freeswitch-users] No failure messages in log during SIPVicious attack

PhilQ philq at qsystemsengineering.com
Fri Mar 22 08:00:07 MSK 2013 

Apparently the attacker finally decided that 150 tries every 10 hours would
take too long and gave up, or iWeb finally took care of business.

Here’s another interesting one though…  every 9 minutes and 15 seconds on
the dot, there’s an invite from an IP in Russia that’s attempting to call
the US toll free number for Microsoft PC Safety.  Weird.  The user agent
string identifies it as Asterisk 1.6.2.  Perhaps we should redirect them to
a recording which tells them how to use TollFreeGateway to complete the
call.   :)

FS console:
2013-03-22 00:15:18.178177 [NOTICE] switch_channel.c:976 New Channel
sofia/internal/10186672723381 at 0.0.0.0:5060
[059bb40d-33b4-4086-b456-6663f3ad2d6a]
2013-03-22 00:15:18.178177 [DEBUG] switch_core_session.c:975 Send signal
sofia/internal/10186672723381 at 0.0.0.0:5060 [BREAK]
2013-03-22 00:15:18.178177 [DEBUG] switch_core_session.c:975 Send signal
sofia/internal/10186672723381 at 0.0.0.0:5060 [BREAK]
2013-03-22 00:15:18.178177 [DEBUG] switch_core_state_machine.c:415
(sofia/internal/10186672723381 at 0.0.0.0:5060) Running State Change CS_NEW
2013-03-22 00:15:18.178177 [DEBUG] switch_core_state_machine.c:433
(sofia/internal/10186672723381 at 0.0.0.0:5060) State NEW
2013-03-22 00:15:18.210157 [DEBUG] sofia.c:7752 IP 93.170.130.201 Rejected
by acl "domains". Falling back to Digest auth.
2013-03-22 00:15:18.210157 [DEBUG] switch_core_session.c:975 Send signal
sofia/internal/10186672723381 at 0.0.0.0:5060 [BREAK]
2013-03-22 00:15:18.210157 [DEBUG] sofia.c:1730 detaching session
059bb40d-33b4-4086-b456-6663f3ad2d6a
2013-03-22 00:15:18.210157 [WARNING] sofia_reg.c:1520 SIP auth challenge
(INVITE) on sofia profile 'internal' for [018667272338 at xx.xx.xx.xx] from ip
93.170.130.201
2013-03-22 00:15:30.177999 [WARNING] switch_core_state_machine.c:514
059bb40d-33b4-4086-b456-6663f3ad2d6a
sofia/internal/10186672723381 at 0.0.0.0:5060 Abandoned
2013-03-22 00:15:30.177999 [DEBUG] switch_channel.c:3011
(sofia/internal/10186672723381 at 0.0.0.0:5060) Callstate Change DOWN -> HANGUP
2013-03-22 00:15:30.177999 [NOTICE] switch_core_state_machine.c:517 Hangup
sofia/internal/10186672723381 at 0.0.0.0:5060 [CS_NEW] [WRONG_CALL_STATE]
...

Tcpdump:
[root at server log]# tcpdump -nnXSs 512 host 93.170.130.201
tcpdump: WARNING: peth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on peth0, link-type EN10MB (Ethernet), capture size 512 bytes
00:15:18.185048 IP 93.170.130.201.5060 > 192.168.1.6.5060: SIP, length: 466
        0x0000:  4500 01ee 0000 4000 fc11 dadc 5daa 82c9  E..... at .....]...
        0x0010:  c0a8 0106 13c4 13c4 01da 1ca1 494e 5649  ............INVI
        0x0020:  5445 2073 6970 3a30 3138 3636 3732 3732  TE.sip:018667272
        0x0030:  3333 3840 xxxx 2exx xxxx 2exx xx2e xxxx  338 at xx.xx.xx.xx
        0x0040:  363a 3530 3630 2053 4950 2f32 2e30 0d0a  6:5060.SIP/2.0..
        0x0050:  4361 6c6c 2d49 443a 2039 3831 3961 3362  Call-ID:.9819a3b
        0x0060:  372d 3839 6535 2d34 6534 382d 3862 6630  7-89e5-4e48-8bf0
        0x0070:  2d37 6139 3532 3266 6133 3362 300d 0a43  -7a9522fa33b0..C
        0x0080:  5365 713a 2031 2049 4e56 4954 450d 0a56  Seq:.1.INVITE..V
        0x0090:  6961 3a20 5349 502f 322e 302f 5544 5020  ia:.SIP/2.0/UDP.
        0x00a0:  302e 302e 302e 303a 3530 3630 3b62 7261  0.0.0.0:5060;bra
        0x00b0:  6e63 683d 7a39 6847 3462 4b2d 3831 3564  nch=z9hG4bK-815d
        0x00c0:  3130 3633 6134 6631 3b72 706f 7274 0d0a  1063a4f1;rport..
        0x00d0:  4672 6f6d 3a20 3c73 6970 3a31 3031 3836  From:.<sip:10186
        0x00e0:  3637 3237 3233 3338 3140 302e 302e 302e  672723381 at 0.0.0.
        0x00f0:  303a 3530 3630 3e3b 7461 673d 4e44 6469  0:5060>;tag=NDdi
        0x0100:  4d7a 4531 4e7a 5178 4d32 4d30 4d44 4177  MzE1NzQxM2M0MDAw
        0x0110:  4d44 5533 4154 4530 4f44 4d31 4e54 5934  MDU3ATE0ODM1NTY4
        0x0120:  0d0a 546f 3a20 3c73 6970 3a30 3138 3636  ..To:.<sip:01866
        0x0130:  3732 3732 3333 3840 xxxx 2exx xxxx 2exx  7272338 at xx.xx.x
        0x0140:  xx2e xxxx xx3e 0d0a 436f 6e74 6163 743a  x.xx>..Contact:
        0x0150:  2022 3130 3138 3636 3732 3732 3333 3831  ."10186672723381
        0x0160:  2220 3c73 6970 3a31 3031 3836 3637 3237  ".<sip:101866727
        0x0170:  3233 3338 3130 2e30 2e30 2e30 3a35 3036  233810.0.0.0:506
        0x0180:  303b 7472 616e 7370 6f72 743d 7564 703e  0;transport=udp>
        0x0190:  0d0a 4d61 782d 466f 7277 6172 6473 3a20  ..Max-Forwards:.
        0x01a0:  3730 0d0a 5573 6572 2d41 6765 6e74 3a20  70..User-Agent:.
        0x01b0:  4173 7465 7269 736b 2031 2e36 2e32 0d0a  Asterisk.1.6.2..
        0x01c0:  4163 6365 7074 3a20 6170 706c 6963 6174  Accept:.applicat
        0x01d0:  696f 6e2f 7364 700d 0a43 6f6e 7465 6e74  ion/sdp..Content
        0x01e0:  2d4c 656e 6768 743a 2030 0d0a 0d0a       -Lenght:.0....





--
View this message in context: http://freeswitch-users.2379917.n2.nabble.com/No-failure-messages-in-log-during-SIPVicious-attack-tp7588841p7588932.html
Sent from the freeswitch-users mailing list archive at Nabble.com.

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list