Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

SIP Hacking

Discussion in '3CX Phone System - General' started by DSXDATA, Mar 9, 2018.

Thread Status:
Not open for further replies.
  1. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    185
    Likes Received:
    64
    3CX does an excellent job of blocking SIP attacks, but we began to notice that some of the attempts were nearing DDOS proportions and went looking a bit deeper. The short story is that we discovered that 80% of the hacking traffic was coming from the same BGP ASN: AS12876. Once we blocked all of the subnets for AS12876, the SIP hacking volume plummeted. Feel free to research and comment. But here are the quick and dirty IPTABLES commands to block AS12876:

    sudo iptables -I INPUT -s 51.15.0.0/16 -j DROP
    sudo iptables -I INPUT -s 62.4.0.0/19 -j DROP
    sudo iptables -I INPUT -s 62.210.0.0/16 -j DROP
    sudo iptables -I INPUT -s 151.115.0.0/16 -j DROP
    sudo iptables -I INPUT -s 163.172.0.0/16 -j DROP
    sudo iptables -I INPUT -s 163.172.208.0/20 -j DROP
    sudo iptables -I INPUT -s 195.154.0.0/16 -j DROP
    sudo iptables -I INPUT -s 212.47.224.0/19 -j DROP
    sudo iptables -I INPUT -s 12.83.128.0/19 -j DROP
    sudo iptables -I INPUT -s 212.83.160.0/19 -j DROP
    sudo iptables -I INPUT -s 212.129.0.0/18 -j DROP


    Best,

    Kirk
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,575
    Likes Received:
    305
    I have a list of 7600 items in my IP Tables on my router that are being blocked, many /22 or larger.
    Although the ones listed above are not in there... I'll keep this in mind. Thanks for sharing.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    DSXDATA likes this.
Thread Status:
Not open for further replies.