[VOIPSEC] [VoiceOps] Strange attacks over the weekend (J. Oquendo)
Mark Collier
mark.collier at securelogix.com
Tue Nov 2 10:45:16 CDT 2010
I have been thinking that a SIP-aware botnet would be a possible way to
generate a large call flood/Telephony DoS attack. All the bot would need
is some basic SIP call generation code, which could be lifted from a
call generator or softphone, and Internet-based SIP access. I would
guess that attackers are already identifying and probing for free SIP
access that they can use for TDoS attacks. I don't think that is what
you are seeing, but it is possible.
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of voipsec-request at voipsa.org
Sent: Tuesday, November 02, 2010 7:00 AM
To: voipsec at voipsa.org
Subject: Voipsec Digest, Vol 70, Issue 1
Send Voipsec mailing list submissions to
voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
voipsec-request at voipsa.org
You can reach the person managing the list at
voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Voipsec digest..."
Today's Topics:
1. Strange attacks over the weekend (J. Oquendo)
2. Re: [VoiceOps] Strange attacks over the weekend (J. Oquendo)
3. Re: [VoiceOps] Strange attacks over the weekend (J. Oquendo)
4. Re: [VoiceOps] Strange attacks over the weekend (J. Oquendo)
----------------------------------------------------------------------
Message: 1
Date: Mon, 01 Nov 2010 11:01:19 -0400
From: "J. Oquendo" <sil at infiltrated.net>
To: Voipsec <voipsec at voipsa.org>, "voiceops at voiceops.org"
<voiceops at voiceops.org>
Subject: [VOIPSEC] Strange attacks over the weekend
Message-ID: <4CCED63F.5020903 at infiltrated.net>
Content-Type: text/plain; charset=ISO-8859-1
Sorry for the cross posting to two lists, but I thought everyone on both
lists might benefit from the message(*cough*rambling*)
So yesterday, I had a honeypot host "open to the world." Not one "block
this country" rule on the machine. Normally throughout the past months
I've seen maybe 1 or 2 attacks in parallel, but yesterday was different.
I butchered up a perl script to block on the fly as opposed to blocking
out entire countries and was surprised to see I managed to accumulate
1600+ hosts. Not *that* big of a deal until I started going through some
of the logs...
I'm a bit puzzled because I see hundreds of attacks in parallel
(literally 100-200 connections from different netblocks at the same
time) so I'm thinking... "VoIP Based Botnet?"
Anyhow, still parsing through the wonderful bucketload of logs this
morning. Anyone else see massive activity begininng 10/31?
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
------------------------------
Message: 2
Date: Mon, 01 Nov 2010 13:02:36 -0400
From: "J. Oquendo" <sil at infiltrated.net>
To: Richard Barnes <richard.barnes at gmail.com>
Cc: "voiceops at voiceops.org" <voiceops at voiceops.org>, Voipsec
<voipsec at voipsa.org>
Subject: Re: [VOIPSEC] [VoiceOps] Strange attacks over the weekend
Message-ID: <4CCEF2AC.70105 at infiltrated.net>
Content-Type: text/plain; charset=ISO-8859-1
Richard Barnes wrote:
> Could you say a little more about what this weird traffic was? Were
> these SIP messages?
> --Richard
>
Sorry, should have been more clear. These were SIP registrations +
bruteforce attacks.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
------------------------------
Message: 3
Date: Mon, 01 Nov 2010 16:14:03 -0400
From: "J. Oquendo" <sil at infiltrated.net>
To: Richard Barnes <richard.barnes at gmail.com>
Cc: "voiceops at voiceops.org" <voiceops at voiceops.org>, stu at actusa.net,
Voipsec <voipsec at voipsa.org>
Subject: Re: [VOIPSEC] [VoiceOps] Strange attacks over the weekend
Message-ID: <4CCF1F8B.1020607 at infiltrated.net>
Content-Type: text/plain; charset=ISO-8859-1
Richard Barnes wrote:
> So, going back to your original question, the answer might not be
> "VoIP based botnet", but rather "VoIP targeted botnet" -- a botnet
> that's trying to brute-force passwords for access into a VoIP system.
>
So I wasn't the only one seeing this:
http://www.stuartsheldon.org/blog/2010/11/sip-brute-force-attacks-escala
te-over-halloween-weekend/
Anyhow, yesterday one of my servers (count it ONE) was hit up over 1640+
attacks from a variety of different hosts. It's really not a big deal to
see dozens, even a couple of hundred attacks hit a machine, but
something definitely seems odd. I believe someone has either done one of
the following:
1) Created a distributed "scanner slash bruteforcer" platform
2) Discovered a vulnerability in some VoIP based application
3) Created a VoIP based botnet
#2 wouldn't make any sense because they wouldn't need to bruteforce. #1
Makes more sense because at certain points in time, multiple attacks are
launched from different hosts with the numbers incremented with no host
overlapping the other. #3 is another possibility - think "Crimepack" or
some other exploit kit.
Perhaps its time to work with vendors, RFC folk and others to find some
mechanism to flag these attacks? I'm thinking of a variable to be
inserted into a SIP message that says "oh no, not on my system you
don't." While the VoIP Abuse Project is fun for me, there is no way I
will be able to perform nslookups, detail the who's who for the vast
majority of these hosts. Any suggestions?
I could do something to the tune of:
if $attacker shows_up_here
then $post $attacker DATABASE & call DB_INFO from a webpage
fi
Where others can pull from whatever addresses are visible. This would
apply to others who have their IP PBX's visible to the world for some
reason or another. I'm still scratching my head as to what occurred
yesterday though. On the above listed blog, some of the information
differs as to what I see:
1) As many as 10 parallel scans started from different hosts using
different ranges, e.g., 10.10.10.x, 10.20.20.x, 10.30.30.x would scan
say accounts 1000-1999, 2000-2999, 3000-3999 and so on.
2) As many as 5 parallel scans would start bruteforcing accounts found,
e.g., 10.10.10.x, 10.20.20.x, would start bruteforcing in parallel
accounts 1012 and 2500.
3) My honeypots began blocking attacks and immediately after, another
host would pick up where one left if. e.g., say if 10.10.10.x was
scanning 1000-1999 and was firewalled at 1200, another address picked up
the slack for 1201-1999
Right now, I haven't even parsed through the logs of my other servers as
I'm playing catch-up with work.
As it stands: http://www.infiltrated.net/voipabuse/logs/october2010.html
October 31st was a strange day, but today is no different. As of this
writing, since midnight there have been 609 attacks against one server
and it seems some attackers are heavily fiddling with international
dialing attempts (http://www.infiltrated.net/voipabuse/logs/): (Captured
calls from my Asterisk based honeypot)
$ tail -n 10 /usr/share/arcade-project/calls
001120161448455 10282010-16:34:10 - my.sanitized.address <guest> -
SIP/guest-f56150f0
3320161448455 10282010-16:34:57 - my.sanitized.address <guest> -
SIP/guest-f2f56c58
8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> -
SIP/guest-f2f00018
19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> -
SIP/guest-f6282eb8
19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> -
SIP/guest-09dda5b8
01185099930015 11012010-15:19:09 - my.sanitized.address <guest> -
SIP/guest-f62732e0
901185099930015 11012010-15:19:20 - my.sanitized.address <guest> -
SIP/guest-f6231548
# grep 448455 /usr/share/arcade-project/calls
01120161448455 10212010-04:49:05 - my.sanitized.address <guest> -
SIP/guest-09baa3a0
901120161448455 10212010-04:49:46 - my.sanitized.address <guest> -
SIP/guest-09d20250
801120161448455 10212010-04:50:32 - my.sanitized.address <guest> -
SIP/guest-09cf72a8
55520161448455 10212010-04:51:46 - my.sanitized.address <guest> -
SIP/guest-09e900a0
801120161448455 10212010-04:52:14 - my.sanitized.address <guest> -
SIP/guest-09e900a0
001120161448455 10282010-16:34:10 - my.sanitized.address <guest> -
SIP/guest-f56150f0
3320161448455 10282010-16:34:57 - my.sanitized.address <guest> -
SIP/guest-f2f56c58
8**1020161448455 10282010-16:36:31 - my.sanitized.address <guest> -
SIP/guest-f2f00018
19**20161448455 10282010-16:38:34 - my.sanitized.address <guest> -
SIP/guest-f6282eb8
19**20161448455 10282010-16:38:54 - my.sanitized.address <guest> -
SIP/guest-09dda5b8
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
------------------------------
Message: 4
Date: Mon, 01 Nov 2010 16:44:49 -0400
From: "J. Oquendo" <sil at infiltrated.net>
To: Voipsec <voipsec at voipsa.org>, "voiceops at voiceops.org"
<voiceops at voiceops.org>
Subject: Re: [VOIPSEC] [VoiceOps] Strange attacks over the weekend
Message-ID: <4CCF26C1.4070103 at infiltrated.net>
Content-Type: text/plain; charset=ISO-8859-1
Alex Balashov wrote:
> One of our large local customers here in Atlanta was hit with a
> brute-force and extremely intensive REGISTER scan late this
> morning/early this afternoon from 5 IPs -- 2 in Indonesia, 1 in
> Argentina, 1 in Russia, and one other from the Philippines that I
> don't have on hand:
>
> 125.162.94.57
> 110.137.65.131
> 186.137.208.202
> 217.118.90.189
>
> ... that we could identify. We don't know if they were part of a
> coordinated scan or just launched in parallel, but they were fairly
> sophisticated in that they detected the nomenclature and length
> assignment patterns in extensions (403 Forbidden vs. 401 Unauthorized,
> I suppose) and zeroed in on those.
>
> No toll fraud took place, but they did take down several Asterisk
> processes due to Asterisk's inability to cope with this volume of
> requests. I would have put the intensity at about ~5-10 per second.
>
None of those hosts are visible to me:
# echo "125.162.94.57
110.137.65.131
186.137.208.202
217.118.90.189" | while read luzer ; do grep -c $luzer OCT ; done
0
0
0
0
Max connects I've seen in parallel so far, 11 addresses all scattered.
Definitely a cut above the typical attack. I want to say
someone/some_group is creating, has created or something is evolving. On
the flip side, "from the rumor mill," someone told me that all the
offending hosts seemed to be running an ftp server primarily on OpenBSD
based machines. It is rumored that 5 machines out of 5 reverse-recon'd
were OpenBSD boxes.
Anyhow, if I had to parse together what I believe occurred is/was:
Someone either created or is in the process of creating some form of C&C
targeting IP PBX's which use SIP for registrations. Judging by the
volume, the extensions/usernames targeted and the sources of the attack,
they likely did some form of "parallel incrementing" recon and
registration attempts (bruteforcing): "China you start with these
extensions, Russia with these, Brazil with those and if someone gets
blocked, then Poland pick it up, etc., etc." Who knows. What I DO KNOW
is they're constantly fiddling with international numbers almost often
to the same numbers. Even when they fail, they'll still come back a week
or two later and try some new and (un)improved insertions to try and
make calls. I DO KNOW factually, these endpoint numbers are in some
shape form or fashion under their control.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 70, Issue 1
**************************************
More information about the Voipsec
mailing list