Just a "heads-up" ... my home asterisk server is being flooded by someone
from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
they're trying to send SIP subscribes to one account - and they're
flooding the requests in - it's averaging some 600Kbits/sec of incoming
UDP da
Its a good idea tos setup Fail2ban, instructions for which are on
voip-info.org. It at least blocks such IP addresses, hopefully prompting the
attackers to move their attack somewhere else and leave you alone.
Another good idea is to lookup in whois database this IP address and see if
you can find
On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
wrote:
>
>Just a "heads-up" ... my home asterisk server is being flooded by someone
>from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
>they're trying to send SIP subscribes to one account - and they're
>floodi
On Sun, 11 Apr 2010, David Quinton wrote:
> On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> wrote:
>
>> Just a "heads-up" ... my home asterisk server is being flooded by someone
>> from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
>> they're trying to send SI
On Sun, 11 Apr 2010 08:09:02 +0100 (BST), Gordon Henderson
wrote:
>
>> Look what they did to my latency, Gordon:-
>> http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png
>
>Oddly enough my latency wasn't being affected at all - however what I was
>seeing was my ADSL router b
- Original Message -
> On Sun, 11 Apr 2010, David Quinton wrote:
>
> > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> > wrote:
> >
> >> Just a "heads-up" ... my home asterisk server is being flooded by
> >> someone from IP 184.73.17.150 which is an Amazon EC2 instance by
> >
Gordon Henderson a écrit :
> Just a "heads-up" ... my home asterisk server is being flooded by someone
> from IP 184.73.17.150 which is an Amazon EC2 instance by the looks of it -
> they're trying to send SIP subscribes to one account - and they're
> flooding the requests in - it's averaging som
On Sun, 11 Apr 2010, --[ UxBoD ]-- wrote:
> In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that
> would monitor for failed SIP registrations. If a few occurred within a
> short space of time the Active Response kicks in and blocks the IP
> address using IPTables. -- Thanks, P
My experience is that as long as the hackers are getting any kind of
response from your server, they'll keep their attack on, in a hope that
they'll get into your system sooner or later. After all it is just some
computers doing the work for them, no human is phycally getting tired here.
This is wh
On Sun, 11 Apr 2010, Zeeshan Zakaria wrote:
> My experience is that as long as the hackers are getting any kind of
> response from your server, they'll keep their attack on, in a hope that
> they'll get into your system sooner or later. After all it is just some
> computers doing the work for them
Hello to everyone!
Same here (Vienna, Austria).
I had this attack yesterday 6am (local time) from IP 216.105.128.63
whois 216.105.128.63 returns:
OrgName:Globalvision
OrgID: ACSIN-3
Address:78 Global Drive
Address:Suite 101
City: Greenville
StateProv: SC
PostalCode: 2960
Hi!
> My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress
> range. I wonder if everything would become a little bit more secure if
> define them with "host=192.168.X.X" in sip.conf instead of
> "host=dynamic". I tried it as a quick shot but it didn't work as they
> still try to r
I don't k know if there is a tool to sniff passwords, but did you check in
/va/log/asterisk/full? Maybe wireshark can be used for this purpose, but
it'll be not that straight forward.
Interestingly I checked log of my server and found out that I was also under
attack yesterday by an Amazon cloud s
On Apr 11, 2010, at 10:06 AM, Zeeshan Zakaria wrote:
> I don't k know if there is a tool to sniff passwords, but did you check in
> /va/log/asterisk/full? Maybe wireshark can be used for this purpose, but
> it'll be not that straight forward.
>
> Interestingly I checked log of my server and fou
--[ UxBoD ]-- splatnix.net> writes:
>
> - Original Message -
> > On Sun, 11 Apr 2010, David Quinton wrote:
> >
> > > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson
> > > drogon.net> wrote:
> > >
> > >> Just a "heads-up" ... my home asterisk server is being flooded by
> > >>
>Its a good idea tos setup Fail2ban, instructions for which are on
>voip-info.org. It at least blocks such IP addresses, hopefully prompting the
>attackers to move their >attack somewhere else and leave you alone.
I personally use Fail2ban, it works but wont keep you from flooding your line.
My
I always report at least. This is still better than not bringing it to their
attention. I once worked in the NOC of a big data centre of a major ISP, and
we often get calls regarding IPs from our data centers involved in spams and
hacks, but unless there were a number of complaints, nobody had time
Am 11.04.2010 17:05, schrieb Mark Smith:
> Same this end from 184.73.17.150.
> Use this little piece of iptables magic to block the whole of Amazon's EC2 ip-
> range.
>
> iptables -F
> iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP
> iptables -A INPUT -m iprange --sr
: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Norbert Zawodsky
Sent: 11 April 2010 20:57
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
Am 11.04.2010 17:05, schrieb Mark Smith:
> Same
Norbert Zawodsky zawodsky.at> writes:
>
> Am 11.04.2010 17:05, schrieb Mark Smith:
> > Same this end from 184.73.17.150.
> > Use this little piece of iptables magic to block the whole of Amazon's EC2
ip-
> > range.
> >
> > iptables -F
> > iptables -A INPUT -m iprange --src-range 216.182.224.0-2
FWIW, we're seeing similar attacks. The below is what I posted on NANOG
earlier, which summarizes Amazon's stellar abuse response. I've also received
an off-list e-mail from someone who was getting hit with 6Gbps of traffic from
them (and was not able to reach anyone there either).
Time to star
20:57
> To: asterisk-users@lists.digium.com
> Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
>
> Am 11.04.2010 17:05, schrieb Mark Smith:
>> Same this end from 184.73.17.150.
>> Use this little piece of iptables magic to block the whole of Amazon's EC2
>&
risk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Stuart Sheldon
Sent: 11 April 2010 21:17
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA2
On Apr 11, 2010, at 4:06 PM, Tom Stordy-Allison wrote:
> Hi,
>
> This is exactly what I've just joined this mailing list about.
>
> Has anyone has any luck getting Amazon to stop the instances? I'm stuck with
> around 700Kbps of my 2.5Mbps inbound in use as my firewall blocks the
> requests a
On Sun, 11 Apr 2010, Mark Smith wrote:
>
> Same this end from 184.73.17.150.
>
> Use this little piece of iptables magic to block the whole of Amazon's EC2 ip-
> range.
>
> iptables -F
> iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP
> iptables -A INPUT -m iprange -
On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
>>
>
> Perhaps if there was a Asterisk RBL we could all contribute to; for which we
> could then hook into and drop any connection where a source IP is listed ?
> --
> Thanks, Phil
>
I love the idea of a RBL... count me in for contributing.
- Original Message -
> Am 11.04.2010 17:05, schrieb Mark Smith:
> > Same this end from 184.73.17.150.
> > Use this little piece of iptables magic to block the whole of
> > Amazon's EC2 ip-
> > range.
> >
> > iptables -F
> > iptables -A INPUT -m iprange --src-range
> > 216.182.224.0-216.182.
I got the same generic response, asking me to submit the same info which I
had already submitted. This clearly show they are not interested in tracing
"just another" hacker on their cloud.
Zeeshan A Zakaria
--
Sent from my Android phone with K-9 Mail.
On 2010-04-12 9:24 AM, "Fred Posner" wrote:
If RBL or something is practical, I'm in too. But at what level these
hackers will be blocked? Unless some big ISPs cooprate, it is not much of
use.
Zeeshan A Zakaria
--
Sent from my Android phone with K-9 Mail.
On 2010-04-12 9:24 AM, "Fred Posner" wrote:
On Apr 12, 2010, at 9:12 AM, --[ UxBo
On Apr 12, 2010, at 8:17 AM, Fred Posner wrote:
> On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
>
>>>
>>
>> Perhaps if there was a Asterisk RBL we could all contribute to; for which we
>> could then hook into and drop any connection where a source IP is listed ?
>> --
>> Thanks, Phil
>>
On Mon, Apr 12, 2010 at 3:52 PM, Zeeshan Zakaria wrote:
> If RBL or something is practical, I'm in too. But at what level these
> hackers will be blocked? Unless some big ISPs cooprate, it is not much of
> use.
I've been following this with much interest. I don't see RBL (which I
use extensively
Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 12, 2010, at 8:17 AM, Fred Posner wrote:
> On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
>
>>>
>>
>> Perhaps if there was a Asterisk RBL we could
Good article - might solve our problems for now:
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood
He got the bots to stop by writing a ruby script that responds back to them
with a SIP 200 OK.
I'm going give it a go when I'm back home...
Cheers,
Tom
--
___
On 12 Apr 2010, at 17:30, Tom Stordy-Allison wrote:
> Good article - might solve our problems for now:
> http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood
>
> He got the bots to stop by writing a ruby script that responds back to them
> with a SIP 200 OK.
>
> I'm going give
On 04/12/2010 08:17 AM, Fred Posner wrote:
>
> On Apr 12, 2010, at 9:12 AM, --[ UxBoD ]-- wrote:
>
>>>
>>
>> Perhaps if there was a Asterisk RBL we could all contribute to; for
>> which we could then hook into and drop any connection where a
>> source IP is listed ? -- Thanks, Phil
>>
>
> I love th
On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
wrote:
> I don't think anyone else brought up the Spamhaus DROP project. It's a
> blacklist of IP addresses and address ranges which are known to ONLY be
> used for malicious purposes.
>
> http://www.spamhaus.org/drop/
>
Because this is in Amazon'
On Apr 12, 2010, at 1:05 PM, Randy R wrote:
> On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
> wrote:
>> I don't think anyone else brought up the Spamhaus DROP project. It's a
>> blacklist of IP addresses and address ranges which are known to ONLY be
>> used for malicious purposes.
>>
>> http
On 04/12/2010 12:05 PM, Randy R wrote:
> On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
> wrote:
>> I don't think anyone else brought up the Spamhaus DROP project. It's a
>> blacklist of IP addresses and address ranges which are known to ONLY be
>> used for malicious purposes.
>>
>> http://www
- Original Message -
> On 04/12/2010 12:05 PM, Randy R wrote:
> > On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
> > wrote:
> >> I don't think anyone else brought up the Spamhaus DROP project.
> >> It's a
> >> blacklist of IP addresses and address ranges which are known to
> >> ONLY be
>
Darrick Hartman wrote:
> On 04/12/2010 12:05 PM, Randy R wrote:
>> On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
>> wrote:
> Randy,
>
> That only addresses EC2 (and assumes that Amazon has any interest in
> protecting their reputation). What about attacks that come from other
> location
>>> Perhaps if there was a Asterisk RBL we could all contribute to; for
>>> which we could then hook into and drop any connection where a
>>> source IP is listed ? -- Thanks, Phil
>>>
>>
>> I love the idea of a RBL... count me in for contributing.
>>
>> Especially considering the ridiculous respons
> I worked with Project Honeypot guys for a while, they are more than
> willing to assist, as they already have the backend work done for a
> clearing house identifying hackers. The biggest issue we had a year
> ago was to create the mechanism in asterisk to push valid log messages
> out to the da
On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman
wrote:
> That only addresses EC2 (and assumes that Amazon has any interest in
> protecting their reputation). What about attacks that come from other
> locations? Granted it's pretty easy to buy time on an EC2 server so
> this may be the primary s
Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
something that looks nice using iptables, some others have pointed out using
RBL or fail2ban, but the best would be to have some generic solution not
dependant on third party programs.
I'm not aware of the asterisk.dev lis
On Tue, Apr 13, 2010 at 08:27:11AM +0200, Randy R wrote:
> On Mon, Apr 12, 2010 at 7:17 PM, Darrick Hartman
> wrote:
> > That only addresses EC2 (and assumes that Amazon has any interest in
> > protecting their reputation). What about attacks that come from other
> > locations? Granted it's pret
On Mon, Apr 12, 2010 at 04:58:42PM -0500, JR Richardson wrote:
> >>> Perhaps if there was a Asterisk RBL we could all contribute to; for
> >>> which we could then hook into and drop any connection where a
> >>> source IP is listed ? -- Thanks, Phil
> >>>
> >>
> >> I love the idea of a RBL... count
- Original Message -
> Think we need some solution WITHIN the Asterisk core. Roderick A.
> suggested something that looks nice using iptables, some others have
> pointed out using RBL or fail2ban, but the best would be to have some
> generic solution not dependant on third party programs.
>
On Tue, 13 Apr 2010, Alyed wrote:
> Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
> something that looks nice using iptables, some others have pointed out using
> RBL or fail2ban, but the best would be to have some generic solution not
> dependant on third party progr
- Original Message -
> On Tue, 13 Apr 2010, Alyed wrote:
>
> > Think we need some solution WITHIN the Asterisk core. Roderick A.
> > suggested something that looks nice using iptables, some others have
> > pointed out using
> > RBL or fail2ban, but the best would be to have some generic so
Am 13.04.2010 10:47, schrieb Gordon Henderson:
> I'd strongly disagree with this. (And I was the OP of this thread and had
> my home/office network connection taken down due to it)
>
> But then, I'm an old worldy Unix sysadmin and the philosophy of having a
> program do one thing well is still etc
On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote:
> On Tue, 13 Apr 2010, Alyed wrote:
>
> > Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
> > something that looks nice using iptables, some others have pointed out using
> > RBL or fail2ban, but the best would
Hi!
> Any aditional security within * is fine, but if someone is simply
> drowning your bandwith, action must be taken at a lower level.
> Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip,
> mail, ssh, ldap, http, rsync, (or any other service you might be running)
However,
On Apr 13, 2010, at 8:04 AM, Hans Witvliet wrote:
> On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote:
>> On Tue, 13 Apr 2010, Alyed wrote:
>>
>>> Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
>>> something that looks nice using iptables, some others have poi
Speaking of all these attacks, are there any good web managed security
monitor tools for CentOS out there that can be installed on the system so
that it can give us a visual of let's multiple failed attempts against SSH
or HTTPd?
Something nice that is simple and doesn't eat a lot resources and sp
On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote:
> Hi!
>
> > Any aditional security within * is fine, but if someone is simply
> > drowning your bandwith, action must be taken at a lower level.
> > Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip,
> > mail, ssh
- Original Message -
> Speaking of all these attacks, are there any good web managed security
> monitor tools for CentOS out there that can be installed on the system
> so that it can give us a visual of let's multiple failed attempts
> against SSH or HTTPd?
>
>
> Something nice that is s
Cool. I am just looking over splunk. Isn't that enough by it's own? or is
OSSEC needed to give it raw data? I think these two will take quite some
time to understand. Anything simpler out there as well?
Thanks,
Bruce
On Tue, Apr 13, 2010 at 10:42 AM, --[ UxBoD ]-- wrote:
> - Original Messag
- Original Message -
> Cool. I am just looking over splunk. Isn't that enough by it's own? or
> is OSSEC needed to give it raw data? I think these two will take quite
> some time to understand. Anything simpler out there as well?
>
>
> Thanks,
> Bruce
>
>
> On Tue, Apr 13, 2010 at 10:42
On Tue, Apr 13, 2010 at 04:32:58PM +0200, Hans Witvliet wrote:
> On Tue, 2010-04-13 at 15:49 +0200, Philipp von Klitzing wrote:
> > Hi!
> >
> > > Any aditional security within * is fine, but if someone is simply
> > > drowning your bandwith, action must be taken at a lower level.
> > > Otherwise y
Hmmm. It would seem that it would be to Amazon's advantage to jump on this
problem,
because the accounts that are performing this activity are most likely
purchased with
stolen identities, and sooner or later the charges are going to get
reversed. Either the
credit card companies are going to absor
On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy wrote:
> Hmmm. It would seem that it would be to Amazon's advantage to jump on this
> problem,
I am pushing for this, please everyone who is suffering from this
problem, submit it or write to complain to Amazon and post the message
publicly wherever y
On Apr 13, 2010, at 4:22 PM, Randy R wrote:
> On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy wrote:
>> Hmmm. It would seem that it would be to Amazon's advantage to jump on this
>> problem,
>
> I am pushing for this, please everyone who is suffering from this
> problem, submit it or write to comp
Fred Posner
Sent: Tuesday, April 13, 2010 3:41 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Being attacked by an Amazon EC2 ...
On Apr 13, 2010, at 4:22 PM, Randy R wrote:
> On Tue, Apr 13, 2010 at 8:25 PM, Steve Murphy wrote:
>> Hmmm. It woul
On Apr 20, 2010, at 6:18 PM, Frank Bulk wrote:
> Please take note of their posting:
> https://aws.amazon.com/security/
> which discusses the issue and what they're doing to improve response.
>
> Frank
>
If only they wrote the truth...
"When we find misuse, we take action quickly and shut
on and further delay things.
Frank
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Fred Posner
Sent: Tuesday, April 20, 2010 6:47 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-use
On Apr 20, 2010, at 5:18 PM, Frank Bulk wrote:
> Please take note of their posting:
> https://aws.amazon.com/security/
> which discusses the issue and what they're doing to improve response.
This is an incredibly lame post on their part. They go out of their way to
point out there was n
Amazon is pretty clever! Ever seen "V" on TV?
Amazon talks a pretty good game out of one side of their PR
mouthpiece, but as a few of you note above, they abuse words like
"quickly" and temper everything with "when Amazon determines".
This is a PR damage control statement. It means they are heari
On Tue, 20 Apr 2010, Frank Bulk wrote:
> Please take note of their posting:
> https://aws.amazon.com/security/
> which discusses the issue and what they're doing to improve response.
And is anyone on the list worthy of being considered a "significant SIP
provider" to be honoured with the p
On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
> On Tue, 20 Apr 2010, Frank Bulk wrote:
>
>> Please take note of their posting:
>> https://aws.amazon.com/security/
>> which discusses the issue and what they're doing to improve response.
>
> And is anyone on the list worthy of being co
On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner wrote:
> On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
>
>> On Tue, 20 Apr 2010, Frank Bulk wrote:
>>
>>> Please take note of their posting:
>>> https://aws.amazon.com/security/
>>> which discusses the issue and what they're doing to improve
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Randy R wrote:
> On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner
> wrote:
>> On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
>>
>>> On Tue, 20 Apr 2010, Frank Bulk wrote:
>>>
Please take note of their posting:
https://aws.amazon.com/s
On Wed, Apr 21, 2010 at 9:23 AM, Stuart Sheldon wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Randy R wrote:
> > On Wed, Apr 21, 2010 at 2:55 PM, Fred Posner
> > wrote:
> >> On Apr 21, 2010, at 4:50 AM, Gordon Henderson wrote:
> >>
> >>> On Tue, 20 Apr 2010, Frank Bulk wrote:
>
On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy wrote:
> Assuming that every such spamming/hacking/attack site is funded on a
> stolen identity/CC number, it will soon sink into Amazon that they are
> getting a bad rep, and losing money on such problems, as all such charges
> are reversed when the i
Randy-
> On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy wrote:
>> Assuming that every such spamming/hacking/attack site is funded on a
>> stolen identity/CC number, it will soon sink into Amazon that they are
>> getting a bad rep, and losing money on such problems, as all such charges
>> are rever
- Original Message -
> Randy-
>
> > On Wed, Apr 21, 2010 at 5:33 PM, Steve Murphy
> > wrote:
> >> Assuming that every such spamming/hacking/attack site is funded on
> >> a stolen identity/CC number, it will soon sink into Amazon that
> >> they are
> >> getting a bad rep, and losing money
On Sat, May 1, 2010 at 4:49 PM, --[ UxBoD ]-- wrote:
> Slammed again last night by a A-WS server; see if anything comes back from
> their abuse > department!
FWIW, I chose another provider for our most recent customer who needed
cloud hosting, only because of the EC2 flood Attacks and Amazon's w
76 matches
Mail list logo
