At about 9am yesterday morning, I noticed on the monitor that the CPU utilization of one of my servers was abnormally high, in addition to a sustained 1mbit/sec of inbound traffic and 2mbits/sec of outbound traffic. syslog messages from Asterisk showed it to be a SIP brute force attack, so I dropped the offending IP (an Amazon EC2 instance IP) into
/etc/idiots to block it and went back to my work.
A while later, I noticed the traffic still hadn't died down, so I reported the incident to Amazon and my server's network provider. No luck on either front; Amazon just sent back a form reply stating the incident was forwarded to the EC2 instance's owner (yeah, seriously) and the network provider said they wouldn't bother adding an ACL to their border equipment unless it was needed to protect their entire network. With the IP blocked on my server, the CPU utilization had died down and it was no longer sending out reply traffic, but I was worried about the inbound garbage traffic counting towards the server's monthly bandwidth cap.
it appears that asterisk/sip servers are now a target of random (?) internet brute force scans just like ssh and smtp with authentication enabled.
i'm curious what they would have done had they found an account with an easily guessable password, though. make free long distance calls to their friends? it'd be like finding an ssh account and then using it to telnet back to your home machine, no? i'm half-tempted to create one of these simple accounts and then make asterisk record all of the calls made by it and then post the audio up on the internet.