now | writings | rss | github | twitter | contact

don't anthropomorphize computers - they don't like it

posted to writings on sep 11th, 2008 with tags asterisk and voip

it appears that asterisk/sip servers are now a target of random (?) internet brute force scans just like ssh and smtp with authentication enabled.

jcs@...:~> zgrep "Registration from .* failed for '217.117.222.206'" /var/log/messages.*.gz | wc -l
   13520 

i'm curious what they would have done had they found an account with an easily guessable password, though. make free long distance calls to their friends? it'd be like finding an ssh account and then using it to telnet back to your home machine, no? i'm half-tempted to create one of these simple accounts and then make asterisk record all of the calls made by it and then post the audio up on the internet.

while none of the accounts on this asterisk server have anywhere near-guessable passwords, it's a bit worrisome that asterisk sends a different reply for valid accounts with an invalid password versus invalid accounts, just like smtp servers that respond differently to an RCPT TO for a valid email address.

the first scan checked simple account numbers 100 through 9999 with a few common account names thrown in:

Sep 10 01:07:01 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"1131881856"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:02 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"100"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:03 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"101"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:06 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"102"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:06 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"103"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:09 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"2533072569"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:09 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"104"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:09 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:10 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test123"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:12 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"105"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:14 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test12"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:14 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"guest"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:15 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"admin"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:16 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"106"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:16 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"107"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:17 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"administrator"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:17 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"108"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:17 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"account"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"mark"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"michael"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"alex"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:18 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"test1"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:19 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"109"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 01:07:19 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"110"' failed for '217.117.222.206' - ACL error (permit/deny)
[...]
Sep 10 03:50:31 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"9997"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 03:50:33 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"9998"' failed for '217.117.222.206' - ACL error (permit/deny)
Sep 10 03:50:34 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"9999"' failed for '217.117.222.206' - ACL error (permit/deny)

then once all of the valid accounts in the 100-9999 range were found, each one was tested a few hundred times with different passwords.

Sep 10 03:52:56 ... asterisk[26222]: NOTICE[26222]: chan_sip.c:11291 in handle_request_register: Registration from '"..." ' failed for '217.117.222.206' - Wrong password
[...]

update: this kind of sip flooding recently escalated into a full-on DoS.

Comments? Contact me via Twitter or e-mail.