Building The Net

SIP brute force attacks escalate over Halloween weekend.

Looks like the bad guys were up to no good again this weekend. SIP based PBX operators reported a huge increase in bogus registration attempts against their systems over the Halloween weekend. Our hosted PBX farm experienced this increase first hand. Logs showed an attack from a new and unique IP address about every minute. At the end of the weekend, over 1300 unique IP addresses were logged.

Intense but different.

This attack was intense in the number of source addresses being used, but much less of an ‘in your face’ attack then we’ve seen previously. Previous attacks would use the same source address and hammer the servers with various generated registration and call requests. Up until this weekend, I could be reasonably sure that the IP address shown as the source address, was actually the system attacking me, and not a spoofed IP of an innocent node..

Attack characteristics.

Here is what we saw:

• All attempts appeared to be SIP registration attempts.
• Source IP address was only used once.
• SIP account was only used once.
• Attacks were spread out over 20 – 30 second intervals.

From all the logs I reviewed, it would look as if they (the bad guys) knew what they were looking for…

Possible goals of this attack.

Figuring out someone’s motivation in attacking you is kinda like going to a restaurant and trying to guess what seasoning the chef is using. Sometimes it’s obvious, but most of the time, you’re just guessing. Anyways, here are some possibilities…

• Since the attackers never tried an account / IP address combination more then once, they:
  1. Knew the account and password they were trying to attach with?
  2. Were only trying to discover if a SIP device was on the other end?
  3. Were attempting to flood a SIP device by spoofing it’s IP address, thus causing legitimate systems to spray UDP packets at it?
  4. Were using malformed packets that exploit a bug in a particular SIP device / software?
  5. Were trolling for open or mis-configured SIP devices?
  6. Were attempting to have systems that run security software block the source IPs of innocent spoofed hosts?
  7. Didn’t know what they were doing, and fired off a useless attack?

If I had to bet, I would say 3, 4 or 5. The fact that there was only one attempt, and that they didn’t bother to try a second time, leads me in that direction. I also think that it may have been lots of different attackers, and not a single bot net. But, I also thought there was cilantro in the clam chowder at the local restaurant… Boy was I wrong about that!

Gone With The Wind…

Just as it started from nowhere at around 10AM PDT on Saturday, so did it end a bit before 8AM Monday… Is it gone for good? who knows, but one thing is for sure… Good passwords and an eye out for software exploits is the order of the day…

If you were hit by this attack, and have an opinion, or additional insight you would like to share, please feel free to comment!

— Stu