mattlandis Posted November 1, 2010 Report Share Posted November 1, 2010 We have a system that is being attacked by a big number of IP's all around the world. (100's of ip's) Anyone else seeing this type of attack? Matt Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 1, 2010 Report Share Posted November 1, 2010 We have a system that is being attacked by a big number of IP's all around the world. (100's of ip's)Anyone else seeing this type of attack? Matt We have seens the following addresses over the past few weeks: 109.169.41.129 173.224.209.188 184.82.2.134 200.33.181.18 202.67.217.133 213.174.148.146 221.195.72.20 61.242.169.1 62.96.7.99 64.120.170.101 64.22.82.2 67.222.10.134 78.141.172.140 82.195.143.18 (a lot) 86.107.102.123 94.23.197.75 Quote Link to comment Share on other sites More sharing options...
mattlandis Posted November 1, 2010 Author Report Share Posted November 1, 2010 here is our list in the last day: 109.245.187.111 109.70.68.142 109.96.244.225 110.137.41.43 110.138.137.249 110.139.148.210 110.159.95.86 110.164.241.121 110.164.34.57 110.225.149.115 111.92.44.229 112.200.118.111 112.204.6.143 113.167.157.173 113.190.31.229 114.141.49.116 114.57.230.122 115.108.33.218 115.242.88.255 115.87.169.116 117.2.11.240 117.204.228.61 117.4.230.72 117.47.71.131 118.174.1.161 118.68.253.94 118.96.33.89 118.96.40.114 118.96.42.235 118.96.7.155 119.158.76.110 119.235.249.26 119.42.82.13 120.50.18.210 122.161.153.108 122.161.242.228 122.161.242.24 122.161.76.67 122.168.35.3 122.177.10.24 122.177.176.36 122.177.201.188 123.16.121.236 123.22.187.100 124.13.33.113 125.163.19.249 125.163.233.244 125.165.186.179 125.165.186.21 125.166.221.252 125.167.176.2 125.60.240.224 178.129.2.87 178.49.17.3 180.214.233.29 180.243.92.84 187.15.19.212 187.32.97.7 187.52.171.10 187.6.218.134 187.79.192.30 188.16.109.63 189.183.28.122 189.19.60.143 189.242.57.212 189.76.88.22 189.82.177.89 190.148.148.198 190.203.137.72 190.206.48.198 190.73.201.156 195.69.222.2 196.205.148.221 200.175.120.178 200.181.230.129 200.207.126.8 201.172.108.207 201.2.95.249 201.250.252.193 201.75.138.124 201.8.206.19 201.92.65.242 202.62.84.22 211.137.104.75 212.150.140.186 212.160.234.71 213.233.92.114 222.123.157.77 222.123.158.173 222.127.232.73 222.127.78.73 222.247.49.18 222.253.99.45 223.205.32.232 24.132.59.185 41.140.164.114 41.155.23.15 41.176.133.69 41.178.183.244 41.184.20.22 41.199.2.29 41.214.184.67 41.235.239.150 41.238.232.197 41.238.233.181 41.238.234.174 41.238.234.94 41.238.235.130 41.238.235.50 58.186.20.21 58.9.135.120 59.99.186.90 60.51.93.184 62.139.231.77 74.115.0.36 74.115.1.16 74.115.1.19 74.115.1.6 77.253.119.145 77.69.159.19 78.163.59.14 78.170.163.154 78.177.30.35 78.185.114.81 78.85.185.23 79.101.232.49 79.176.107.33 79.178.24.66 79.181.49.254 80.171.100.198 81.214.241.166 82.213.146.26 83.149.44.32 83.235.23.19 83.6.86.63 85.102.208.216 85.104.134.143 85.106.193.117 85.195.133.26 85.26.232.17 85.26.233.244 85.65.221.100 85.75.124.78 85.97.210.219 85.97.46.26 85.97.88.254 85.99.150.26 86.51.233.204 88.231.1.219 88.233.184.122 88.234.196.153 88.243.112.205 88.247.54.72 88.251.35.217 89.223.211.78 89.254.238.132 89.33.147.244 91.176.139.109 92.28.193.38 92.46.213.248 92.49.195.173 92.84.250.210 93.114.180.59 94.108.208.88 94.129.132.7 94.178.187.109 94.72.94.136 94.97.31.66 95.154.118.65 95.209.9.104 Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 1, 2010 Report Share Posted November 1, 2010 Who-how! Automatic blacklisting seems a killer feature these days!!! Quote Link to comment Share on other sites More sharing options...
mattlandis Posted November 1, 2010 Author Report Share Posted November 1, 2010 you think that system is under attack? ;-) think it is some kind of botnet thing or what? It is a different type of attack than I've seen before. Has anyone else? Also it has been sustained for over 24hrs now too. blacklist = absolutely essential. Matt Quote Link to comment Share on other sites More sharing options...
mattlandis Posted November 1, 2010 Author Report Share Posted November 1, 2010 Our research is indicating: -a SIP brute force Botnet appears to in operation -It is not a massive botnet, perhaps several hundred bots worldwide (our estimation) -very few bots in the USA -user agent = "Asterisk PBX" If there is anything else that would help anyone, let me know. Matt Quote Link to comment Share on other sites More sharing options...
Tom Waterman Posted November 2, 2010 Report Share Posted November 2, 2010 Our research is indicating: -a SIP brute force Botnet appears to in operation -It is not a massive botnet, perhaps several hundred bots worldwide (our estimation) -very few bots in the USA -user agent = "Asterisk PBX" If there is anything else that would help anyone, let me know. Matt As you know Matt, I am currently tracking the same thing. we are seeing hundreds of hits per day. There has to be a setting in the PBX to block them permanently. I saw one today that got an extension on the second try. Good think I have secure passwords! Tom Quote Link to comment Share on other sites More sharing options...
hosted Posted November 20, 2010 Report Share Posted November 20, 2010 We use a honeypot application at various IP's throughout our network to find scanners. most scanners first send an OPTION message to see if your SIP port is open. our honeypot detects this and processes a block to our core router. This has been very effective at stopping unwanted traffic before it becomes an outage issue. Quote Link to comment Share on other sites More sharing options...
mattlandis Posted November 20, 2010 Author Report Share Posted November 20, 2010 thanks for that tip. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.