1 Nov
2010
1 Nov
'10
10:29 a.m.
As a service provider who offer (amongst other things) VoIP accounts,
I've seen this a lot, recently.
a few things I would advise:
1. If using Asterisk, don't allow incoming connections from the whole
internet on port 5060. If you need something to handle SIP
registrations from unpredictable public addresses, consider OpenSIPS,
if not, just restrict access to port 5060 / asterisk via iptables to
lists of known network ranges and addresses.
2. Configure OpenSIPS to send no response to the SIP probes from
sipvicious (UA string 'friendly-scanner')
If the scanner gets no response back it will stop and move on. If it
detects the box at the other end is Asterisk, then expect brute force
attacks to follow (the last one we had was ~2Mbps of repeated Register
attempts..before the measures above were taken)