your right i allready was having such cases in the past, most sirea leone or romania calls, but the abuser was originating from russia in most cases seldom from korea. The scanner was allways one machine which doing bruteforce but since a few weeks this changed, only a few request which do not trigger the detection logic of such attacks from several hosts. Nothing harmfull at the moment .. but if it a bot network doing this whis thousands of drones .. how to detect and protect ? When the password of an account is cracked, why could not the same botnet be used to make calls ? That would be an horrorscenario of course I fear we going in to expect that very soon.
Roger
On 23 Jul 2011 at 21:38, Andreas Fink wrote:
those are scans to find open SIP gateways to then abuse them to dial to expensive destinations like Cuba. Those are large scale fraud attempts.
On Jul 23, 2011, at 8:20 PM, roger@mgz.ch wrote:
hi all, more and more i getting sipscans from dynamic ips from most swiss dsl and cable provider the strange thing is they try at least twice .. and then stop a few seconds later in most cases come 2 request from another connection. is that some kind of trojan which is gone wild ? anyone has some idea ?
Roger
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hello Roger,
this is not coming up soon, it is already happening. I once was victim of such a fraud whereas they managed to go into my sip provider on the end, I still have no clue if they broke into trixbox at that time or bruteforced.
anyway, I ended up only allowing VOIP over VPN. Since then, silence. I guess that is the only useable countermeasure.
I have the strong feeling, some of the "internet cafes" in foreign countries that offer "cheap internet calls" to call back home when on holiday are part of this whole fraudster scene.
Silvan Silvan
On 24.07.2011 14:34, roger@mgz.ch wrote:
your right i allready was having such cases in the past, most sirea leone or romania calls, but the abuser was originating from russia in most cases seldom from korea. The scanner was allways one machine which doing bruteforce but since a few weeks this changed, only a few request which do not trigger the detection logic of such attacks from several hosts. Nothing harmfull at the moment .. but if it a bot network doing this whis thousands of drones .. how to detect and protect ? When the password of an account is cracked, why could not the same botnet be used to make calls ? That would be an horrorscenario of course I fear we going in to expect that very soon.
Roger
On 23 Jul 2011 at 21:38, Andreas Fink wrote:
those are scans to find open SIP gateways to then abuse them to dial to expensive destinations like Cuba. Those are large scale fraud attempts.
On Jul 23, 2011, at 8:20 PM, roger@mgz.ch wrote:
hi all, more and more i getting sipscans from dynamic ips from most swiss dsl and cable provider the strange thing is they try at least twice .. and then stop a few seconds later in most cases come 2 request from another connection. is that some kind of trojan which is gone wild ? anyone has some idea ?
Roger
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog