I think I have asked it before but i see on the log a lot of incoming UDP port 5060 to all the hosts (even that are not active currently but defined in the AMPR dns and therefore have routing to my gateway ) from all over the world
What is it ? who have interest to look for SIP on my system ?
Is there a way to cut and paste part of the log of Mikrotik router ? i can not do it when i enter it from the web interface so could not copy the relevant log part
Thanks Forward
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
These are probably unmanned bots. The SIP implementation on a number of devices are known to have Denial of Service vulnerabilities that can crash the system, so the bad guys' bots like to look for that port. - Brian
On Sat, Apr 22, 2017 at 04:34:56PM +0000, R P wrote:
(Please trim inclusions from previous messages) _______________________________________________ I think I have asked it before but i see on the log a lot of incoming UDP port 5060 to all the hosts (even that are not active currently but defined in the AMPR dns and therefore have routing to my gateway ) from all over the world
What is it ? who have interest to look for SIP on my system ?
Is there a way to cut and paste part of the log of Mikrotik router ? i can not do it when i enter it from the web interface so could not copy the relevant log part
Thanks Forward
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
It's not only ddos that they are interrested in. A malconfigured SIP PBX can also be misused as their personal PBX and breakout. You would not be the first whose call credit would shoot through the roof once they find a flaw in the configuration
Ruben - ON3RVH
On 22 Apr 2017, at 18:40, Brian Kantor Brian@UCSD.Edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ These are probably unmanned bots. The SIP implementation on a number of devices are known to have Denial of Service vulnerabilities that can crash the system, so the bad guys' bots like to look for that port.
- Brian
On Sat, Apr 22, 2017 at 04:34:56PM +0000, R P wrote: (Please trim inclusions from previous messages) _______________________________________________ I think I have asked it before but i see on the log a lot of incoming UDP port 5060 to all the hosts (even that are not active currently but defined in the AMPR dns and therefore have routing to my gateway ) from all over the world
What is it ? who have interest to look for SIP on my system ?
Is there a way to cut and paste part of the log of Mikrotik router ? i can not do it when i enter it from the web interface so could not copy the relevant log part
Thanks Forward
Ronen - 4Z4ZQ
Ronen Pinchooks (4Z4ZQ) WebSitehttp://www.ronen.org/ www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
On Apr 22, 2017, at 09:55, Ruben ON3RVH on3rvh@on3rvh.be wrote:
(Please trim inclusions from previous messages) _______________________________________________ It's not only ddos that they are interrested in. A malconfigured SIP PBX can also be misused as their personal PBX and breakout. You would not be the first whose call credit would shoot through the roof once they find a flaw in the configuration
Oh yes. I run many internet facing sip servers. Bots will try many different dialing patterns hoping to find something. They're also trying to bruteforce/guess sip account credentials.
I've gotten as high as 10,000 attempts per second in an attempt to break through before my IDS catches on and firewalls them off.
-
Brian Kantor -
James Sharp -
R P -
Ruben ON3RVH