SIP - perhaps botnet? anyone else seeing this?

Leland E. Vandervort leland at taranta.discpro.org
Wed Apr 15 16:38:45 UTC 2009



Managed to get to the bottom of it, and it was indeed a SIP User-Agent
brute-force attempt.  Interestingly, though, that your mail mentions
specifically verizon... the majority of the remote addresses during this
brute-force attempt were also behind verizon... coincidence?

Hmm..

Regards,

Leland



On Wed, 15 Apr 2009, Dane wrote:

> The timing of your email as well as a couple of seemingly unrelated
> things that I have heard about make me think this might be related to
> some large toll fraud scheme.
>
> Today I heard from someone who says Verizon is telling them they see
> about 700 calls per hour to Cuba originating from their PRI.
>
> Obviously some type of toll fraud.  Got me thinking about this persons
> phone system and how there has always been the issue of toll fraud
> where someone calls in and knows how to get an outbound call routed
> through a poorly setup PBX.
>
> However the rate of 700 calls per hour and one PRI just don't make
> sense or add up in a situation like the old toll fraud method
> mentioned earlier since I believe that's more of a manual attack.
>
> That's when I recalled this post of yours.  Made me wonder if there
> was some way to exploit SIP to associate with a VoIP PBX or gateway or
> something that was tied to PRI's and thus route your calls over
> someones phone system.
>
> Sure enough found some discussions and posts regarding toll fraud to
> Cuba (and others) in relation to SIP.
>
> For instance, Cisco's CallManager Express device which is a router as
> well as voip pbx is often tied to PSTN or PRI's and by default allows
> H323 TCP/1720 and SIP UDP/5060 ports open by default.
>
> It may seem obvious to others but new to me that these scans are
> related to someone or some group looking to find devices with these
> ports open in an effort to attach to them through SIP and hopefully
> exploit if attached to PRI's or PSTN for toll fraud.
>
> I really do learn something new everyday, some smart deviant people out there.
>
>
> On Fri, Apr 10, 2009 at 3:45 AM, Leland E. Vandervort
> <leland at taranta.discpro.org> wrote:
> >
> > Hi All,
> >
> > Over the past couple of days we have been seeing an exponential increase
> > (about 200-fold)
> > in the amount of UDP SIP Control traffic in our netflow data.  The past 24
> > hours, for example, has shown a total of nearly 300 GB of this traffic
> > incoming and over 400 GB outgoing -- this despite the fact that we do not
> > host any SIP services ourselves, and currently to my knowledge, we have no
> > hosting customers running any kind of SIP services.  (Total RTP traffic
> > for 24 hours is only in the region of 150 Kb -- so a vast inbalance
> > between control and RTP)
> >
> > The local sources/destinations of the traffic are within our hosting
> > space, but are spread across a wide range of hosts (i.e. nothing really
> > related to a single or handful of hosts).
> >
> > Additionally over the past couple of days we have seen an increase of
> > mails to our abuse desk for "brute force" attempts against a number of SIP
> > services... possibly directly related to this traffic.
> >
> > Is anyone aware of a new variant or modus-operandi of botnets in
> > circulation in the past couple of days which attempt to exploit SIP
> > services?  Has anyone else notice a significant increase in this kind of
> > traffic?
> >
> > Thanks
> >
> > Leland
> >
> >
> >
> >
>





More information about the NANOG mailing list