On 21/10/10 16:41, Steve Howes wrote: > Hi, > > Given the recent increase in SIP brute force attacks, I've had a little idea. > > The standard scripts that block after X attempts work well to prevent you > actually being compromised, but once you've been 'found' then the attempts > seem to keep coming for quite some time. Older versions of sipvicious don't > appear to stop once you start sending un-reachables (or straight drops). Now > this isn't a problem for Asterisk, but it does add up in (noticeable) > bandwidth costs - and for people running on lower bandwidth connections. The > tool to crash sipvicious can help this, but very few attackers seem to obey > it.. > > The only way I can see to alleviate this, is to blacklist hows *before* they > attack. This means you wont ever be targeted past an initial scan. > > Is there any interest in a 'shared' blacklist (similar to spam blacklists, > but obviously implemented in a way that is more usable with > Asterisk/iptables)?. Clearly it raises issues about false positives etc, but > requiring reports from more than X hosts should alleviate this. There's all > the usual de-listing / false-listing worries as with any blacklist, but the > SMTP world has solutions we could learn from. > > Leaving a 'honeypot' running on a single IP address has revealed a few > hundred addresses in less than a month. I am fairly certain these are all > 'bad' as this host isn't used for anything else. There is obviously a wealth > of data (and attacks) out there that would be good to share.
Not sure it's quite the same but have you seen: http://www.infiltrated.net/voipabuse/ -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
