Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SIP Attacks on internet connected port5060 targeting Asterix servers - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SIP Attacks on internet connected port5060 targeting Asterix servers

 We have had a few reports on IP addresses in certain parts of the world sending INVITE requests to Asterix servers and attempting to make calls.  Looking at the port 5060 data there does seem to be an uptick in targets. 

  

If you have some packet captures of this or logs. I'd be interested to take a look at them. 

Thanks

Mark

Mark

391 Posts
ISC Handler
A typical event a couple of times a month.
It takes Amazon a couple of days to shut it down.

Port 5060 scan across x.x.x/24
and the 600kbps of SIP REGISTER attempts

43.232.101.75.in-addr.arpa. 300 IN PTR
ec2-75-101-232-43.compute-1.amazonaws.com.

GMT+11
Mar 25 08:43:41 75.101.232.43,5060 -> x.x.x.0,5060 PR udp len 20 440 IN
Mar 25 08:43:41 75.101.232.43,5060 -> x.x.x.1,5060 PR udp len 20 436 IN
... skip 306 lines ...
Mar 25 08:43:42 75.101.232.43,5060 -> x.x.x.209,5060 PR udp len 20 441 IN

10:57:59.15649 75.101.232.43 -> x.x.x.x UDP D=5060 S=5069 LEN=347

REGISTER sip:x.x.x.x SIP/2.0..
Via: SIP/2.0/UDP 10.212.214.3:5069;branch=z9hG4bK-3594771221;rport..
Content-Length: 0..
From: "2999" <sip:2999@x.x.x.x>..
Accept: application/sdp..
User-Agent:friendly-scanner..
To: "2999" <sip:2999@x.x.x.x>..
Contact:sip:123@1.1.1.1..
CSeq: 1 REGISTER..
Call-ID: 1039083047..
Max-Forwards: 70....
Anonymous

Sign Up for Free or Log In to start participating in the conversation!