Jump to content

anyone else noticing widespread sip attacks?


mattlandis
 Share

Recommended Posts

We have a system that is being attacked by a big number of IP's all around the world. (100's of ip's)

Anyone else seeing this type of attack?

 

Matt

 

We have seens the following addresses over the past few weeks:

 

109.169.41.129

173.224.209.188

184.82.2.134

200.33.181.18

202.67.217.133

213.174.148.146

221.195.72.20

61.242.169.1

62.96.7.99

64.120.170.101

64.22.82.2

67.222.10.134

78.141.172.140

82.195.143.18 (a lot)

86.107.102.123

94.23.197.75

Link to comment
Share on other sites

here is our list in the last day:

 

109.245.187.111

109.70.68.142

109.96.244.225

110.137.41.43

110.138.137.249

110.139.148.210

110.159.95.86

110.164.241.121

110.164.34.57

110.225.149.115

111.92.44.229

112.200.118.111

112.204.6.143

113.167.157.173

113.190.31.229

114.141.49.116

114.57.230.122

115.108.33.218

115.242.88.255

115.87.169.116

117.2.11.240

117.204.228.61

117.4.230.72

117.47.71.131

118.174.1.161

118.68.253.94

118.96.33.89

118.96.40.114

118.96.42.235

118.96.7.155

119.158.76.110

119.235.249.26

119.42.82.13

120.50.18.210

122.161.153.108

122.161.242.228

122.161.242.24

122.161.76.67

122.168.35.3

122.177.10.24

122.177.176.36

122.177.201.188

123.16.121.236

123.22.187.100

124.13.33.113

125.163.19.249

125.163.233.244

125.165.186.179

125.165.186.21

125.166.221.252

125.167.176.2

125.60.240.224

178.129.2.87

178.49.17.3

180.214.233.29

180.243.92.84

187.15.19.212

187.32.97.7

187.52.171.10

187.6.218.134

187.79.192.30

188.16.109.63

189.183.28.122

189.19.60.143

189.242.57.212

189.76.88.22

189.82.177.89

190.148.148.198

190.203.137.72

190.206.48.198

190.73.201.156

195.69.222.2

196.205.148.221

200.175.120.178

200.181.230.129

200.207.126.8

201.172.108.207

201.2.95.249

201.250.252.193

201.75.138.124

201.8.206.19

201.92.65.242

202.62.84.22

211.137.104.75

212.150.140.186

212.160.234.71

213.233.92.114

222.123.157.77

222.123.158.173

222.127.232.73

222.127.78.73

222.247.49.18

222.253.99.45

223.205.32.232

24.132.59.185

41.140.164.114

41.155.23.15

41.176.133.69

41.178.183.244

41.184.20.22

41.199.2.29

41.214.184.67

41.235.239.150

41.238.232.197

41.238.233.181

41.238.234.174

41.238.234.94

41.238.235.130

41.238.235.50

58.186.20.21

58.9.135.120

59.99.186.90

60.51.93.184

62.139.231.77

74.115.0.36

74.115.1.16

74.115.1.19

74.115.1.6

77.253.119.145

77.69.159.19

78.163.59.14

78.170.163.154

78.177.30.35

78.185.114.81

78.85.185.23

79.101.232.49

79.176.107.33

79.178.24.66

79.181.49.254

80.171.100.198

81.214.241.166

82.213.146.26

83.149.44.32

83.235.23.19

83.6.86.63

85.102.208.216

85.104.134.143

85.106.193.117

85.195.133.26

85.26.232.17

85.26.233.244

85.65.221.100

85.75.124.78

85.97.210.219

85.97.46.26

85.97.88.254

85.99.150.26

86.51.233.204

88.231.1.219

88.233.184.122

88.234.196.153

88.243.112.205

88.247.54.72

88.251.35.217

89.223.211.78

89.254.238.132

89.33.147.244

91.176.139.109

92.28.193.38

92.46.213.248

92.49.195.173

92.84.250.210

93.114.180.59

94.108.208.88

94.129.132.7

94.178.187.109

94.72.94.136

94.97.31.66

95.154.118.65

95.209.9.104

Link to comment
Share on other sites

Our research is indicating:

 

-a SIP brute force Botnet appears to in operation

-It is not a massive botnet, perhaps several hundred bots worldwide (our estimation)

-very few bots in the USA

-user agent = "Asterisk PBX"

 

If there is anything else that would help anyone, let me know.

 

Matt

 

 

As you know Matt, I am currently tracking the same thing. we are seeing hundreds of hits per day. There has to be a setting in the PBX to block them permanently. I saw one today that got an extension on the second try. Good think I have secure passwords!

 

Tom

Link to comment
Share on other sites

  • 3 weeks later...

We use a honeypot application at various IP's throughout our network to find scanners. most scanners first send an OPTION message to see if your SIP port is open. our honeypot detects this and processes a block to our core router.

This has been very effective at stopping unwanted traffic before it becomes an outage issue.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...