It is amazing how organized and quick these scanners are. Over the
last few weeks I've been testing various VPS platforms. I was surprised
at how fast a new IP / machine was discovered and attacks started. Now
these machines have not been set up with any voip services, but the
attacks happen fast.
These are not script kiddies, they are organized bot nets scanning known
ranges of data centres, looking for open services. From what I can tell
they have scanning bots that look for the open services, that then pass
the discovered IP's into an organized bot net for further cracking.
One server within 30 minutes there were about 50 ssh attempts from an
IP, which then then stopped but then restarted from 2 new IP's within 2
minutes which really cranked up the attempts, so definitely looked like
it got handed off.
The only reason these attempts got this far, I got called away during
the setup and had not got failed2ban installed.
I'm finding that about 2/3's of the attacks are originating from China,
balance are from North American , EU and Eastern European originations.
So when deploying a new server, make sure all security measures are in
place before bringing it online, since they are just out there waiting
to pounce !
Mike
On 08/31/2010 1:36 AM, Reza - Asterisk Consultant wrote:
Hello John:
For your clarification - 4 test servers running on 4 IP address,
Rogers Cable home, Rogers cable Business, TekSavvy DSL, and Bell DSL.
These were test servers. So they are not located on the same
facility or a real data centre. Also machines experiencing SIP Brute
Force DDOS attacks without even registering to any provider tells me
the scanners and scanning/sniffing open ports.
There are three other high-end production servers located at data
centres with different subnets. I would normally agree with you with
regards to an inside job, but when all 4-7 coins are flipped and land
on the same side - I don't think thats coincidence.
The scanners are targeting anyone and everyone with GOOD interconnects
high speeds of minimum 10Mpbs to the internet backbone if you ask my
opinion. Bandwidth and speed is relatively cheap in North America
compared to the rest of the globle so I believe North American servers
are primary targets. Attacks originating from both UK and France
based servers, their service providers have been amazing in shutting
down the servers originating the attacks.
My 3rd Party SIP Providers and PRI providers are **ALL** CLECs.
Unless an employee within the CLEC doesn't like me - I doubt they
would want to waste their valuable resources on a smaller provider for
sabotage. Highly unlikely.
The reality is that SIP based DDOS is on the rise for the one and only
one reason... and that is to gain access to the PSTN and make
fraudulent calls. As early as this month I have been informed of
several thousand dollars of fraudulent calls made to other parts of
the globe from a business who's office PBX was compromised because the
guru forgot to change the default password on their system.
If you have not been looking or observing your logs, have a look at
your logs under /var/log and check the auth.log and related log files,
along with asterisk notice logs. You will be surprised how common
this is. We've been in business for 5+ years and we see attacks all
the time. We brush it off and ban the IPs because the attacks are not
severe and very manageable (at the technical level).
When you are being hit by giga bytes and giga bytes of attacks from
one source - I am still not worried about entry. Our firewall does
its job and does is damn well barely using less than a fraction of a
percent of CPU usage... *** B U T *** what does hurt is if you have
50 Giga bytes of attacks on a given day from ONE source and it
persists -- well, then it hurts your pocket.
I have confirmed that at least 3 other clients who has servers at data
centres (both US and Canada) have complained about the same SIP DDOS
attacks over the past couple of weeks. I just think its getting more
aggressive and more common than most people are aware of.
Hope this helps with some insight.
Cheers!
Reza.
On Mon, Aug 30, 2010 at 11:08 AM, John Lange<[email protected]> wrote:
Reza, are the four new servers in the same subnet at a facility that has
other SIP services?
We have a number of servers deployed across different providers and
don't see many hack attempts so I'm wondering if the scanners are
targeting areas where they know there is a higher number of asterisk
servers?
Alternatively, I think I'd be suspicious of whoever your 3rd party SIP
providers are. Somehow the IP addresses of your servers are quickly
becoming known to attackers so there is definitely a weakness someplace.
On the plus side, it seems unlikely that they are able to sniff your
traffic because if they could they wouldn't have any need to brute force
your passwords.
--
John Lange
http://www.johnlange.ca
On Sat, 2010-08-28 at 02:17 -0400, Reza - Asterisk Consultant wrote:
I've been following some of the hacking posts. To advise - this sort
of Asterisk hack attempts and brute force attacks (both SSH, but
specially SIP 5060) are on the rise. We deployed 4 test servers with
unique IP addresses over the past 7 days, with 2 production servers
(fortunately with IP Table rules and Fail2Ban implemented). Within
literally couple of hours from the machines going up - we immediately
encountered brute force friendly-scanner type SIP attacks.
There was one particular IP address, originating from France dedicated
server hosting company (www.ovh.fr) which was causing me about 10 MB
of traffic per minute of pure sip brute force. Most attacks stop
after they observe their IP has been banned, but this was being
particularly stubborn. In about 24hrs and after about 10 gigabytes
of IPTABLE packet drops from this IP, I picked up the phone, called
the hosting company in France and they put a cork on it immediately.
I was quite impressed at these guys in France suspending the culprit
server after submitting the logs.
In a nutshell - this is what I have:
a) ZERO access to anonymous sip calls.
b) Complex alpha-numeric passwords for all SIP end points.
c) Complex SSH password with IP-Tables configured to reject SSH
logins from IP address after 2nd attempt (for sys admins only)
d) Only SIP and SSH service running on my platform
e) Fail2Ban / IP TABLES blocking IP address for 15 minutes
f) Brute force attackers being banned permanently within my IP tables
g) China, South America, India and Israel IP address blocks completely banned.
My brute force attacks used to rank highest from Israel and then from
China. Lately I'm beginning to see more attacks, usually giving up
within few minutes, from West Europe. This one attack from France was
the most notorious of all.
If you are running on of the GUI variants of Asterisk such as TrixBox,
Elastix, ThirdLane and other similar type front-ends, be warned that
all default and dictionary word type passwords are hacked within
minutes and your server compromised in record time. Before you have
your services up and running, ensure that you change your default
passwords immediately (otherwise you are asking for it and inviting
problems).
Having all 4 test servers and 2 production servers experiencing brute
force SIP attacks within hours of deployment, I refuse to believe its
coincidence. My conclusion of what I have observed over the past
several months is that there are sniffers out there, that sniff 24/7,
SIP ports. Once they find sip ports open, they brute force attack.
If you have firewall / IP table rules implemented, most give up
within minutes.
As a rule of thumb, what I am doing at my end is to ensure all my
servers have IP Tables, Fail2Ban and related protection tools deployed
before any voice services are deployed.
I would like to hear how you protect your servers.
Thank you,
Reza.
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.851 / Virus Database: 271.1.1/3103 - Release Date: 08/30/10
14:34:00
--
Mike Ashton
Quality Track International
Work: +1 647 724 3500 x251
Cell: +1 416 527 4995
QTI CONFIDENTIAL AND PROPRIETARY INFORMATION
The contents of this material are confidential and proprietary to Quality Track
International, Inc.
and may not be reproduced, disclosed, distributed or used without the express
permission of an authorized representative of QTI.
Use for any purpose or in any manner other than that expressly authorized is
prohibited.
If you have received this communication in error, please immediately delete it
and all copies, and promptly notify the sender.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
