joshua stein

don't anthropomorphize computers - they don't like it

posted to this is not a weblog on thursday, september 11th, 2008 at 12:55
tagged asterisk, voip, and commented on 3 times

it appears that asterisk/sip servers are now a target of random (?) internet brute force scans just like ssh and smtp with authentication enabled. 

jcs@...:~> zgrep "Registration from .* failed for '217.117.222.206'" /var/log/messages.*.gz | wc -l
   13520

i'm curious what they would have done had they found an account with an easily guessable password, though. make free long distance calls to their friends? it'd be like finding an ssh account and then using it to telnet back to your home machine, no? i'm half-tempted to create one of these simple accounts and then make asterisk record all of the calls made by it and then post the audio up on the internet.

while none of the accounts on this asterisk server have anywhere near-guessable passwords, it's a bit worrisome that asterisk sends a different reply for valid accounts with an invalid password versus invalid accounts, just like smtp servers that respond differently to an RCPT TO for a valid email address.

the first scan checked simple account numbers 100 through 9999 with a few common account names thrown in: 

Sep 10 01:07:01 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"1131881856"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:02 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"100"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:03 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"101"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:06 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"102"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:06 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"103"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:09 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"2533072569"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:09 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"104"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:09 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:10 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test123"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:12 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"105"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:14 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test12"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:14 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"guest"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:15 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"admin"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:16 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"106"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:16 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"107"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:17 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"administrator"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:17 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"108"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:17 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"account"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"mark"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"michael"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"alex"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test1"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:19 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"109"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:19 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"110"' failed for '217.117.222.206' - ACL error (permit/deny)
[...]
Sep 10 03:50:31 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"9997"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 03:50:33 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"9998"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 03:50:34 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"9999"' failed for '217.117.222.206' - ACL error (permit/deny)

then once all of the valid accounts in the 100-9999 range were found, each one was tested a few hundred times with different passwords. 

Sep 10 03:52:56 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"..." ' failed for '217.117.222.206' - Wrong password
[...]

update: this kind of sip flooding recently escalated into a full-on DoS.

three comments
Alex Holst (not authenticated) on september 12th, 2008 at 03:20:14:

If I were inclined to scan for SIP accounts, I'd probably want to use/re-sell them for automated voice spam (or whatever it's called these days).

Try setting up a sacrificial account and see what happens.

reply to this
Andrew Sylthe (authentic) on september 12th, 2008 at 18:21:44:

I have noticed the same thing over the past couple months on some of my Asterisk servers as well. The internet is such a happy place...

reply to this
Sascha Welter (authentic) on march 4th, 2009 at 10:09:14:

They re-sell your long-distance minutes. It's pure business.

reply to this