I've also been seeing a large increase in attacks across many different networks over the past few days.
There was a thread about these types of brute force attacks earlier in the year, and as a response I created a distributed network intrusion reporting system (www.crowdsecure.net) that supports SIP and a bunch of other protocols. There is a fail2ban action script on the site that allows you to report these attacks as they happen, and if you do, others can block the offending hosts before they even try to connect. The project is still in the early phases but there are a number of hosts already reporting attacks and the system is generating a small but useful lists of hosts you can easily export and apply rules to. If more users sign up to support and use a system like crowdsecure we can stop these attacks faster and hopefully before one of them finds a weakness in someones dialplan or SIP passwords...... On Sun, Oct 31, 2010 at 6:12 PM, Andrew Kohlsmith (mailing lists account) <[email protected]> wrote: > On Sunday, October 31, 2010 12:33:44 pm saurin ajmeri wrote: >> Just wondering if anybody else are experiencing increasing attack on >> asterisk since last Friday. So Far i got almost 700 attempts and Fail2ban >> have banned those IP. Its mix attack from all over the place mostly from >> telecoms company from middle east, UK, France and Russia. > > I've been using fail2ban for the past few weeks now (finally got around to > setting it up) and my usual ban traffic is about 3 a day. There wasn't any > difference from weekday to weekend. > > Like you, I have seen *significantly* increased traffic this weekend. There > doesn't appear to be any intelligence behind it (i.e. they're all hitting the > same 30-40 accounts before fail2ban drops them) so I'm not overly worried, but > it is a pain in the ass. > > But yes, I've blocked about 350 unique IPs since Friday evening. Glad I'm not > the only one. :-) > > -A. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
