Managed to get to the bottom of it, and it was indeed a SIP User-Agent brute-force attempt. Interestingly, though, that your mail mentions specifically verizon... the majority of the remote addresses during this brute-force attempt were also behind verizon... coincidence?
Hmm.. Regards, Leland On Wed, 15 Apr 2009, Dane wrote: > The timing of your email as well as a couple of seemingly unrelated > things that I have heard about make me think this might be related to > some large toll fraud scheme. > > Today I heard from someone who says Verizon is telling them they see > about 700 calls per hour to Cuba originating from their PRI. > > Obviously some type of toll fraud. Got me thinking about this persons > phone system and how there has always been the issue of toll fraud > where someone calls in and knows how to get an outbound call routed > through a poorly setup PBX. > > However the rate of 700 calls per hour and one PRI just don't make > sense or add up in a situation like the old toll fraud method > mentioned earlier since I believe that's more of a manual attack. > > That's when I recalled this post of yours. Made me wonder if there > was some way to exploit SIP to associate with a VoIP PBX or gateway or > something that was tied to PRI's and thus route your calls over > someones phone system. > > Sure enough found some discussions and posts regarding toll fraud to > Cuba (and others) in relation to SIP. > > For instance, Cisco's CallManager Express device which is a router as > well as voip pbx is often tied to PSTN or PRI's and by default allows > H323 TCP/1720 and SIP UDP/5060 ports open by default. > > It may seem obvious to others but new to me that these scans are > related to someone or some group looking to find devices with these > ports open in an effort to attach to them through SIP and hopefully > exploit if attached to PRI's or PSTN for toll fraud. > > I really do learn something new everyday, some smart deviant people out there. > > > On Fri, Apr 10, 2009 at 3:45 AM, Leland E. Vandervort > <lel...@taranta.discpro.org> wrote: > > > > Hi All, > > > > Over the past couple of days we have been seeing an exponential increase > > (about 200-fold) > > in the amount of UDP SIP Control traffic in our netflow data. ?The past 24 > > hours, for example, has shown a total of nearly 300 GB of this traffic > > incoming and over 400 GB outgoing -- this despite the fact that we do not > > host any SIP services ourselves, and currently to my knowledge, we have no > > hosting customers running any kind of SIP services. ?(Total RTP traffic > > for 24 hours is only in the region of 150 Kb -- so a vast inbalance > > between control and RTP) > > > > The local sources/destinations of the traffic are within our hosting > > space, but are spread across a wide range of hosts (i.e. nothing really > > related to a single or handful of hosts). > > > > Additionally over the past couple of days we have seen an increase of > > mails to our abuse desk for "brute force" attempts against a number of SIP > > services... possibly directly related to this traffic. > > > > Is anyone aware of a new variant or modus-operandi of botnets in > > circulation in the past couple of days which attempt to exploit SIP > > services? ?Has anyone else notice a significant increase in this kind of > > traffic? > > > > Thanks > > > > Leland > > > > > > > > >
