On Sun, Oct 31, 2010 at 03:23:52AM +0200, Tzafrir Cohen wrote: > On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote: > > Is there really any benefit to blocking these, if you use good passwords? > > Regardless of any threat from those attacks succeeding, they completely > saturated the uplink in our ADSL-connected office. > > What are they after, anyway? Merely cheap international calls?
I'm guessing free PSTN access. They don't want to DoS you. The scans are an attempt to collect valid extensions for later password guessing attempts. Every one I've seen has used svwar (from SIPVicious), which by default will give up if it can't tell the difference between trying to register (or invite) an unknown peer and a known one. This is why "alwaysauthreject = yes" is so effective, even though it bends RFC3261 a bit. But keep using fail2ban, too. "svwar.py --force" will cause it to scan regardless of response code. -- Barry -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
