On Tue, Oct 23, 2012 at 7:40 PM, ik <ido...@gmail.com> wrote: > > > > If so - are you sure they're _attacking_ you? Absolutely positive that > what > > you're seeing is NOT returning packets for packets that have originated > from > > YOUR network? (could be internal computers with malware...) > > I see the automated scanners in the log, trying to do stuff, but they > are very narrow cans for specific tasks of specific servers. > For example attempting to connect to SIP extensions on Asterisk and try to > dial. > > I can only answer to the scenario's you're giving. So I'll have to start with SIP.
SIP as a protocol has a feature that allows you to re-route the RTP stream over the fly between different endpoints. Common case I can think of: * Your Asterisk box is connecting to an external SIP termination service; * Your Asterisk has canreinvite=1 for endpoints. * You start a call to a number that belongs on the SIP termination service trunk * The call is answered * If the endpoint can reach the Internet, there's really no point in sending all the RTP traffic through Asterisk (unless it's doing MeetMe conferencing, IVR et al...) * SIP renegotiates the streams to go directly from your endpoint to the media gateway on the other side * Your firewall is SIP aware, reads the traffic, allows RTP to 'punch a hole through the firewall' - even though you have no specific rule. (search for SIP ALG (=Application Level Gateway) in your FW settings) * The RTP stream could look like an attack attempt of "UDP traffic at a random high port number"... Makes any sense? -- Shimi
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
