Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Extreme SIP scanning latest week


There have never been so many SIP scannings in so short time for all my VoIP honeypots.They have tried all types, INVITES, REGISTER, SUBSCRIBES and OPTIONS.  A short list of some of the attackes latest 48 hours. Normally just doing a couple hundred extensions and passwords, some of these IPs trying up to 10 000 different extensions/passwords.

IP addresses [User-agent] Provider

119.147.116.157    [Asterisk]
193.47.153.14         [SIPVicious]
86.47.46.147          [First SIPVicious, then SIPPER for PhonerLite]
174.143.245.120  [SIPVicious]
174.129.52.240    [SIPVicious]     Amazone EC2
24.190.38.4            [SIPVicious]

So keep your systems ready for the flood to come! This is just the start.

One response to “Extreme SIP scanning latest week

  1. Koos van den Hout May 26, 2010 at 5:36 pm

    And new floods coming in, up to the level of generating enough traffic from 193.55.30.2 to fill up my ADSL link, noted in http://idefix.net/~koos/newsitem.cgi/1274547088
    At least that IP stopped scanning me completely the next Monday, I hope someone cleaned a hacked PC.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: