[Spce-user] Under attack :-(
Matthew Ogden
matthew at tenacit.net
Fri Feb 15 03:49:45 EST 2013
Hi,
Read this thread:
http://lists.sipwise.com/pipermail/spce-user/2012-May/001357.html
You need to send a 200 OK, and then they usually stop. Then ban them.
Regards
*From:* spce-user-bounces at lists.sipwise.com [mailto:
spce-user-bounces at lists.sipwise.com] *On Behalf Of *Theo
*Sent:* 15 February 2013 10:45 AM
*To:* spce-user at lists.sipwise.com
*Subject:* [Spce-user] Under attack :-(
Hi
ngrep-sip gives me:
#
U 2013/02/15 10:39:23.432811 173.242.123.148:5266 -> 196.41.123.113:5060
REGISTER sip:196.41.123.113 SIP/2.0'
Via: SIP/2.0/UDP 173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'
Content-Length: 0'
From: "12unknown" <sip:12unknown at 196.41.123.113>'
Accept: application/sdp'
User-Agent: friendly-scanner'
To: "12unknown" <sip:12unknown at 196.41.123.113>'
Contact: sip:123 at 1.1.1.1'
CSeq: 1 REGISTER'
Call-ID: 4123206054'
Max-Forwards: 70'
'
with a script changing the Call-ID a a massive rate. So someone is trying
to register or doing something sinister. This box is not behind a firewall
at this point, just a test box. the IP you see there 173.242.123.148 has
indeed been added to the banned IPs which I guess means nothing is actually
reaching the proxy? Do we just leave it like this until they give up or is
there some other action I should take?
There is no monetary risk at this point for us - this is really just for
testing and all details such as IPs are going to change if and when we
would start using it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130215/1602d0e0/attachment-0001.html>
More information about the Spce-user
mailing list