|
We have had a few reports on IP addresses in certain parts of the world sending INVITE requests to Asterix servers and attempting to make calls. Looking at the port 5060 data there does seem to be an uptick in targets. If you have some packet captures of this or logs. I'd be interested to take a look at them. Thanks Mark |
Mark 392 Posts ISC Handler Apr 15th 2010 |
| Thread locked Subscribe |
Apr 15th 2010 1 decade ago |
|
A typical event a couple of times a month.
It takes Amazon a couple of days to shut it down. Port 5060 scan across x.x.x/24 and the 600kbps of SIP REGISTER attempts 43.232.101.75.in-addr.arpa. 300 IN PTR ec2-75-101-232-43.compute-1.amazonaws.com. GMT+11 Mar 25 08:43:41 75.101.232.43,5060 -> x.x.x.0,5060 PR udp len 20 440 IN Mar 25 08:43:41 75.101.232.43,5060 -> x.x.x.1,5060 PR udp len 20 436 IN ... skip 306 lines ... Mar 25 08:43:42 75.101.232.43,5060 -> x.x.x.209,5060 PR udp len 20 441 IN 10:57:59.15649 75.101.232.43 -> x.x.x.x UDP D=5060 S=5069 LEN=347 REGISTER sip:x.x.x.x SIP/2.0.. Via: SIP/2.0/UDP 10.212.214.3:5069;branch=z9hG4bK-3594771221;rport.. Content-Length: 0.. From: "2999" <sip:2999@x.x.x.x>.. Accept: application/sdp.. User-Agent:friendly-scanner.. To: "2999" <sip:2999@x.x.x.x>.. Contact:sip:123@1.1.1.1.. CSeq: 1 REGISTER.. Call-ID: 1039083047.. Max-Forwards: 70.... |
Anonymous |
| Quote |
Apr 18th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
