Hello John: For your clarification - 4 test servers running on 4 IP address, Rogers Cable home, Rogers cable Business, TekSavvy DSL, and Bell DSL. These were test servers. So they are not located on the same facility or a real data centre. Also machines experiencing SIP Brute Force DDOS attacks without even registering to any provider tells me the scanners and scanning/sniffing open ports.
There are three other high-end production servers located at data centres with different subnets. I would normally agree with you with regards to an inside job, but when all 4-7 coins are flipped and land on the same side - I don't think thats coincidence. The scanners are targeting anyone and everyone with GOOD interconnects high speeds of minimum 10Mpbs to the internet backbone if you ask my opinion. Bandwidth and speed is relatively cheap in North America compared to the rest of the globle so I believe North American servers are primary targets. Attacks originating from both UK and France based servers, their service providers have been amazing in shutting down the servers originating the attacks. My 3rd Party SIP Providers and PRI providers are **ALL** CLECs. Unless an employee within the CLEC doesn't like me - I doubt they would want to waste their valuable resources on a smaller provider for sabotage. Highly unlikely. The reality is that SIP based DDOS is on the rise for the one and only one reason... and that is to gain access to the PSTN and make fraudulent calls. As early as this month I have been informed of several thousand dollars of fraudulent calls made to other parts of the globe from a business who's office PBX was compromised because the guru forgot to change the default password on their system. If you have not been looking or observing your logs, have a look at your logs under /var/log and check the auth.log and related log files, along with asterisk notice logs. You will be surprised how common this is. We've been in business for 5+ years and we see attacks all the time. We brush it off and ban the IPs because the attacks are not severe and very manageable (at the technical level). When you are being hit by giga bytes and giga bytes of attacks from one source - I am still not worried about entry. Our firewall does its job and does is damn well barely using less than a fraction of a percent of CPU usage... *** B U T *** what does hurt is if you have 50 Giga bytes of attacks on a given day from ONE source and it persists -- well, then it hurts your pocket. I have confirmed that at least 3 other clients who has servers at data centres (both US and Canada) have complained about the same SIP DDOS attacks over the past couple of weeks. I just think its getting more aggressive and more common than most people are aware of. Hope this helps with some insight. Cheers! Reza. On Mon, Aug 30, 2010 at 11:08 AM, John Lange <[email protected]> wrote: > Reza, are the four new servers in the same subnet at a facility that has > other SIP services? > > We have a number of servers deployed across different providers and > don't see many hack attempts so I'm wondering if the scanners are > targeting areas where they know there is a higher number of asterisk > servers? > > Alternatively, I think I'd be suspicious of whoever your 3rd party SIP > providers are. Somehow the IP addresses of your servers are quickly > becoming known to attackers so there is definitely a weakness someplace. > > On the plus side, it seems unlikely that they are able to sniff your > traffic because if they could they wouldn't have any need to brute force > your passwords. > > -- > John Lange > http://www.johnlange.ca > > > On Sat, 2010-08-28 at 02:17 -0400, Reza - Asterisk Consultant wrote: >> I've been following some of the hacking posts. To advise - this sort >> of Asterisk hack attempts and brute force attacks (both SSH, but >> specially SIP 5060) are on the rise. We deployed 4 test servers with >> unique IP addresses over the past 7 days, with 2 production servers >> (fortunately with IP Table rules and Fail2Ban implemented). Within >> literally couple of hours from the machines going up - we immediately >> encountered brute force friendly-scanner type SIP attacks. >> >> There was one particular IP address, originating from France dedicated >> server hosting company (www.ovh.fr) which was causing me about 10 MB >> of traffic per minute of pure sip brute force. Most attacks stop >> after they observe their IP has been banned, but this was being >> particularly stubborn. In about 24hrs and after about 10 gigabytes >> of IPTABLE packet drops from this IP, I picked up the phone, called >> the hosting company in France and they put a cork on it immediately. >> I was quite impressed at these guys in France suspending the culprit >> server after submitting the logs. >> >> In a nutshell - this is what I have: >> >> a) ZERO access to anonymous sip calls. >> b) Complex alpha-numeric passwords for all SIP end points. >> c) Complex SSH password with IP-Tables configured to reject SSH >> logins from IP address after 2nd attempt (for sys admins only) >> d) Only SIP and SSH service running on my platform >> e) Fail2Ban / IP TABLES blocking IP address for 15 minutes >> f) Brute force attackers being banned permanently within my IP tables >> g) China, South America, India and Israel IP address blocks completely >> banned. >> >> My brute force attacks used to rank highest from Israel and then from >> China. Lately I'm beginning to see more attacks, usually giving up >> within few minutes, from West Europe. This one attack from France was >> the most notorious of all. >> >> If you are running on of the GUI variants of Asterisk such as TrixBox, >> Elastix, ThirdLane and other similar type front-ends, be warned that >> all default and dictionary word type passwords are hacked within >> minutes and your server compromised in record time. Before you have >> your services up and running, ensure that you change your default >> passwords immediately (otherwise you are asking for it and inviting >> problems). >> >> Having all 4 test servers and 2 production servers experiencing brute >> force SIP attacks within hours of deployment, I refuse to believe its >> coincidence. My conclusion of what I have observed over the past >> several months is that there are sniffers out there, that sniff 24/7, >> SIP ports. Once they find sip ports open, they brute force attack. >> If you have firewall / IP table rules implemented, most give up >> within minutes. >> >> As a rule of thumb, what I am doing at my end is to ensure all my >> servers have IP Tables, Fail2Ban and related protection tools deployed >> before any voice services are deployed. >> >> I would like to hear how you protect your servers. >> >> Thank you, >> Reza. >> >> > > -- Toronto based VoIP / Asterisk Trainer, I.T. Consultant and Hosted PBX Solutions Provider. +1-647-476-2067. http://www.linkedin.com/in/seminar --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
