SIP dictionary attacks

["Paul D. Robertson" <paul () compuwar net>]

Well, besides losing my voice which has given me a little time to catch up 
on things, one of my problems last week was a successful dictionary attack 
against a SIP extension with an eight digit password.  

Obviously, I've changed the passwords and lengths, but I did want to make 
sure folks knew that there were active attacks out there, and they're 
obviously scanning for systems randomly, since the system in question was 
only recently moved to a new IP address space.  The initial scans came 
from a box in China (surprise!)

Anyway, all I've found for blocking outside of static IP address ranges is 
a bunch of check the logs and react stuff for Linux.  I'm starting to 
think IPS might actually have a use- time to Google for snort inline sutff 
I suppose.

Attackers made about calls out to people telling them they owed money.  
Calls were initiated from Europe, Asia and the US.  Likely from 
compromised hosts.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards