Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
Patrick Lists wrote: On 10/15/2010 12:56 AM, Rick Sewill wrote: [snip] Would you mind sharing which networks your attacks came from? I hesitate to answer, but will. The people who own 67.222.1.124 and 184.106.213.202 were very cooperative and interested. The Chinese IP address was 218.14.146.200. I could connect to 218.14.146.200 port 80 and saw, what I thought, was a Chinese job website...I don't know Chinese. I apologize if the website is not Chinese. The attack packets had a user agent name of friendly-scanner. I assumed it was a version of something found at http://blog.sipvicious.org/ I assume it was looking for an asterisk server. Unfortunately, my twinkle client decided to reply. I tried looking for a twinkle configuration option to tell twinkle to just ignore REGISTER requests, to no avail. It seems to be sipvicious although headers can be forged. The site looks Chinese to my untrained eyes too. I searched on the Twinkle website but couldn't find a way to ignore register requests. I don't know if other clients also respond to register requests so can't recommend any alternatives. Bottom of the website says, in English, China Telecom. :m) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
On 15 October 2010 02:31, JD jd1...@gmail.com wrote: Try to use www.arin.net You will see that arin.net will not tell you to which network (such as APNIC ) it belongs. Very mysterious :) s...@samlap:~$ whois 218.14.146.200 % [whois.apnic.net node-2] % Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html inetnum: 218.14.146.192 - 218.14.146.221 netname: jiangmendianxinfengongsihaobaix descr:jiangmenshihuanshiyilu2hao country: CN admin-c: JM-AP tech-c: IC83-AP mnt-by: MAINT-CHINANET-GD changed: gdtel_ip...@163.com 20091210 status: Allocated non-portable source: APNIC person: JIANGMEN WANJIAN address: No.2, Huan Shi Yi Road, Jiangmen, China country: CN phone:+86-750-3280600 e-mail: ip...@gddc.com.cn remarks: IPMASTER is not for spam complaint,please send spam complaint to ab...@gddc.com.cn nic-hdl: JM-AP mnt-by: MAINT-CHINANET-GD changed: chen...@gsta.com 20080328 source: APNIC person: IPMASTER CHINANET-GD nic-hdl: IC83-AP e-mail: ip...@gddc.com.cn address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU phone:+86-20-83877223 fax-no: +86-20-83877223 country: CN changed: ip...@gddc.com.cn 20040902 mnt-by: MAINT-CHINANET-GD remarks: IPMASTER is not for spam complaint,please send spam complaint to ab...@gddc.com.cn source: APNIC Not particularly hard or particularly mysterious -- Sam -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is off topic, but I thought I should tell people. This past weekend, I suffered a DOS attack launched against VOIP SIP Clients. The attack came, at different times, from 3 separate IP addresses. I blocked the IP addresses using IP Tables when I discovered it. The attack was a bombardment of several hundred SIP REGISTER requests, per second, with a user agent of friendly-scanner. The attack was a sustained attack over three days. I contacted my ISP. They told me they have taken steps. I contacted 2 of the 3 owners of the offending IP addresses. The third owner of the IP address was a job site address in China, and I couldn't figure out how to contact them. In my case, I run the VOIP SIP program, twinkle. Twinkle started consuming vast amounts of memory, going from a normal 5 MiB usage to 500-600 MiB usage, before I realized what was happening. Twinkle attempted to respond to each incoming packet with an outgoing SIP error packet. I posted a message on the yahoo group used by twinkle asking what they could do to better handle such an attack. If you suddenly seem to have memory problems, I suggest running something like System Monitor to find out what applications have memory. I also be on the lookout for unexpectedly high internet traffic. This message is off-topic, because it is not specific to Fedora. I thought it wouldn't hurt to let people know of this type of attack. I hope people don't object to this off-topic post. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky3WikACgkQyc8Kn0p/AZRr+QCgnpEL5nIS5JX+0AucTKeGyrbf ZDoAnjIFC7hVPW58sKM6tVVNSNwEN2xq =mLHd -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
On 10/14/2010 09:29 PM, Rick Sewill wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is off topic, but I thought I should tell people. This past weekend, I suffered a DOS attack launched against VOIP SIP Clients. The attack came, at different times, from 3 separate IP addresses. I don't see why you would want to attack a VoIP client. Maybe the dark side knows something I don't. Recently I have seen an increase in brute force register attacks from Chinese networks. But that was on Asterisk servers. I had to block the following networks from which most attacks originated: 60.0.0.0/255.248.0.0 60.8.0.0/255.254.0.0 60.10.0.0/255.255.0.0 Most other attacks came from the US, France and Brazil. Installing fail2ban may help where a single IP tries to brute force itself into a SIP server. But that does not apply to a VoIP client. Would you mind sharing which networks your attacks came from? Regards, Patrick -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
Rick Sewill rsew...@gmail.com wrote: This is off topic, but I thought I should tell people. Can these clients be run on Fedora? Also this attack may target more than just VOIP SIP clients. Thank you for the warning. James McKenzie -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
On 10/14/2010 10:03 PM, James Mckenzie wrote: Rick Sewillrsew...@gmail.com wrote: This is off topic, but I thought I should tell people. Can these clients be run on Fedora? Well twinkle is available on F13: $ yum info twinkle Loaded plugins: presto, refresh-packagekit Available Packages Name: twinkle Arch: x86_64 Version : 1.4.2 Release : 5.fc13 Size: 1.3 M Repo: fedora Summary : A SIP Soft Phone URL : http://www.twinklephone.com License : GPLv2+ Description : Twinkle is a SIP based soft phone for making telephone calls over : IP networks. Other clients are Ekiga, Linphone and Sip Communicator and they all run on Linux. Regards, Patrick -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
Rick Sewill rsew...@gmail.com writes: This past weekend, I suffered a DOS attack launched against VOIP SIP Clients. The attack came, at different times, from 3 separate IP addresses. I'm seeing a vast increase in attemted SIP registers too. Asterisk (f13 more or less stock via yum) seems to handle the onslaught well enough, other than filling up the logs with pages and pages of failed requests. Anyone that isn't using computer generated, large passwords for their SIP registrations is probably exeriencing the joys of someone running up their phone bills with their VOIP/POTS gateway service. I'll probably start blocking all incomming SIP (both UDP and TCP) except from known peers and clients. Luckily I don't have any dynamic SIP clients that roam the net at large. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ (IPv6-only) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/14/2010 02:58 PM, Patrick Lists wrote: On 10/14/2010 09:29 PM, Rick Sewill wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is off topic, but I thought I should tell people. This past weekend, I suffered a DOS attack launched against VOIP SIP Clients. The attack came, at different times, from 3 separate IP addresses. I don't see why you would want to attack a VoIP client. Maybe the dark side knows something I don't. Recently I have seen an increase in brute force register attacks from Chinese networks. But that was on Asterisk servers. I had to block the following networks from which most attacks originated: 60.0.0.0/255.248.0.0 60.8.0.0/255.254.0.0 60.10.0.0/255.255.0.0 Most other attacks came from the US, France and Brazil. Installing fail2ban may help where a single IP tries to brute force itself into a SIP server. But that does not apply to a VoIP client. Would you mind sharing which networks your attacks came from? I hesitate to answer, but will. The people who own 67.222.1.124 and 184.106.213.202 were very cooperative and interested. The Chinese IP address was 218.14.146.200. I could connect to 218.14.146.200 port 80 and saw, what I thought, was a Chinese job website...I don't know Chinese. I apologize if the website is not Chinese. The attack packets had a user agent name of friendly-scanner. I assumed it was a version of something found at http://blog.sipvicious.org/ I assume it was looking for an asterisk server. Unfortunately, my twinkle client decided to reply. I tried looking for a twinkle configuration option to tell twinkle to just ignore REGISTER requests, to no avail. A snippet of the twinkle log looked like the following: +++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg Received from: udp:67.222.1.124:5092 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport Content-Length: 0 From: 2299812582 sip:2299812...@24.111.191.152 Accept: application/sdp User-Agent: friendly-scanner To: 2299812582 sip:2299812...@24.111.191.152 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 1066778109 Max-Forwards: 70 - --- +++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp Send to: udp:218.14.146.200:5069 SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546 To: 3096784503 sip:3096784...@24.111.191.152;tag=gusmt From: 3096784503 sip:3096784...@24.111.191.152 Call-ID: 497952175 CSeq: 1 REGISTER Server: Twinkle/1.4.2 Content-Length: 0 - --- +++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp Send to: udp:218.14.146.200:5069 SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090 To: 3096784503 sip:3096784...@24.111.191.152;tag=yrkuk From: 3096784503 sip:3096784...@24.111.191.152 Call-ID: 1619872740 CSeq: 1 REGISTER Server: Twinkle/1.4.2 Content-Length: 0 - --- +++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg Received from: udp:67.222.1.124:5092 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport Content-Length: 0 From: 2299812582 sip:2299812...@24.111.191.152 Accept: application/sdp User-Agent: friendly-scanner To: 2299812582 sip:2299812...@24.111.191.152 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 2728516634 Max-Forwards: 70 - --- +++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg Received from: udp:218.14.146.200:5069 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport Content-Length: 0 From: 3096784503 sip:3096784...@24.111.191.152 Accept: application/sdp User-Agent: friendly-scanner To: 3096784503 sip:3096784...@24.111.191.152 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 3719869292 Max-Forwards: 70 - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1 4GkAoIjl3m7n5iOrNTEORClyYtUqf68E =MMlX -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
On 10/14/2010 03:56 PM, Rick Sewill wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/14/2010 02:58 PM, Patrick Lists wrote: On 10/14/2010 09:29 PM, Rick Sewill wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is off topic, but I thought I should tell people. This past weekend, I suffered a DOS attack launched against VOIP SIP Clients. The attack came, at different times, from 3 separate IP addresses. I don't see why you would want to attack a VoIP client. Maybe the dark side knows something I don't. Recently I have seen an increase in brute force register attacks from Chinese networks. But that was on Asterisk servers. I had to block the following networks from which most attacks originated: 60.0.0.0/255.248.0.0 60.8.0.0/255.254.0.0 60.10.0.0/255.255.0.0 Most other attacks came from the US, France and Brazil. Installing fail2ban may help where a single IP tries to brute force itself into a SIP server. But that does not apply to a VoIP client. Would you mind sharing which networks your attacks came from? I hesitate to answer, but will. The people who own 67.222.1.124 and 184.106.213.202 were very cooperative and interested. The Chinese IP address was 218.14.146.200. I could connect to 218.14.146.200 port 80 and saw, what I thought, was a Chinese job website...I don't know Chinese. I apologize if the website is not Chinese. The attack packets had a user agent name of friendly-scanner. I assumed it was a version of something found at http://blog.sipvicious.org/ I assume it was looking for an asterisk server. Unfortunately, my twinkle client decided to reply. I tried looking for a twinkle configuration option to tell twinkle to just ignore REGISTER requests, to no avail. A snippet of the twinkle log looked like the following: +++ 12-10-2010 09:12:24.764991 INFO SIP ::process_sip_msg Received from: udp:67.222.1.124:5092 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-1019189801;rport Content-Length: 0 From: 2299812582sip:2299812...@24.111.191.152 Accept: application/sdp User-Agent: friendly-scanner To: 2299812582sip:2299812...@24.111.191.152 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 1066778109 Max-Forwards: 70 - --- +++ 12-10-2010 09:12:24.769299 INFO SIP ::send_sip_udp Send to: udp:218.14.146.200:5069 SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-1124511546 To: 3096784503sip:3096784...@24.111.191.152;tag=gusmt From: 3096784503sip:3096784...@24.111.191.152 Call-ID: 497952175 CSeq: 1 REGISTER Server: Twinkle/1.4.2 Content-Length: 0 - --- +++ 12-10-2010 09:12:24.770028 INFO SIP ::send_sip_udp Send to: udp:218.14.146.200:5069 SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 127.0.0.1:5069;received=218.14.146.200;rport=5069;branch=z9hG4bK-404923090 To: 3096784503sip:3096784...@24.111.191.152;tag=yrkuk From: 3096784503sip:3096784...@24.111.191.152 Call-ID: 1619872740 CSeq: 1 REGISTER Server: Twinkle/1.4.2 Content-Length: 0 - --- +++ 12-10-2010 09:12:24.770475 INFO SIP ::process_sip_msg Received from: udp:67.222.1.124:5092 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 67.222.1.124:5092;branch=z9hG4bK-4261809208;rport Content-Length: 0 From: 2299812582sip:2299812...@24.111.191.152 Accept: application/sdp User-Agent: friendly-scanner To: 2299812582sip:2299812...@24.111.191.152 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 2728516634 Max-Forwards: 70 - --- +++ 12-10-2010 09:12:24.771846 INFO SIP ::process_sip_msg Received from: udp:218.14.146.200:5069 REGISTER sip:24.111.191.152 SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:5069;branch=z9hG4bK-2590771448;rport Content-Length: 0 From: 3096784503sip:3096784...@24.111.191.152 Accept: application/sdp User-Agent: friendly-scanner To: 3096784503sip:3096784...@24.111.191.152 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 3719869292 Max-Forwards: 70 - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky3iqsACgkQyc8Kn0p/AZTGxgCfYOtgq3yP4qeaFTjv5gMwI6O1 4GkAoIjl3m7n5iOrNTEORClyYtUqf68E =MMlX -END PGP SIGNATURE- I have a Netgear SPH200D Skype phone connected to my firewalled router. I have to reboot SPH200D almost every other day because of hacks that bring it down. I have no idea where the hacks are coming from because I cannot login/telnet/ssh into SPH200D because it refuses these connection reqs. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
On 10/15/2010 12:56 AM, Rick Sewill wrote: [snip] Would you mind sharing which networks your attacks came from? I hesitate to answer, but will. The people who own 67.222.1.124 and 184.106.213.202 were very cooperative and interested. The Chinese IP address was 218.14.146.200. I could connect to 218.14.146.200 port 80 and saw, what I thought, was a Chinese job website...I don't know Chinese. I apologize if the website is not Chinese. The attack packets had a user agent name of friendly-scanner. I assumed it was a version of something found at http://blog.sipvicious.org/ I assume it was looking for an asterisk server. Unfortunately, my twinkle client decided to reply. I tried looking for a twinkle configuration option to tell twinkle to just ignore REGISTER requests, to no avail. It seems to be sipvicious although headers can be forged. The site looks Chinese to my untrained eyes too. I searched on the Twinkle website but couldn't find a way to ignore register requests. I don't know if other clients also respond to register requests so can't recommend any alternatives. Regards, Patrick -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] To people with VoIP SIP Clients (twinkle, etc), friendly-scanner DOS attack
On 10/14/2010 06:21 PM, Patrick Lists wrote: On 10/15/2010 12:56 AM, Rick Sewill wrote: [snip] Would you mind sharing which networks your attacks came from? I hesitate to answer, but will. The people who own 67.222.1.124 and 184.106.213.202 were very cooperative and interested. The Chinese IP address was 218.14.146.200. I could connect to 218.14.146.200 port 80 and saw, what I thought, was a Chinese job website...I don't know Chinese. I apologize if the website is not Chinese. The attack packets had a user agent name of friendly-scanner. I assumed it was a version of something found at http://blog.sipvicious.org/ I assume it was looking for an asterisk server. Unfortunately, my twinkle client decided to reply. I tried looking for a twinkle configuration option to tell twinkle to just ignore REGISTER requests, to no avail. It seems to be sipvicious although headers can be forged. The site looks Chinese to my untrained eyes too. I searched on the Twinkle website but couldn't find a way to ignore register requests. I don't know if other clients also respond to register requests so can't recommend any alternatives. Regards, Patrick Try to use www.arin.net You will see that arin.net will not tell you to which network (such as APNIC ) it belongs. Very mysterious :) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines