SIP Hacking

Discussion in '3CX Phone System - General' started by DSXDATA, Mar 9, 2018.

Thread Status:
Not open for further replies.
  1. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    173
    Likes Received:
    60
    3CX does an excellent job of blocking SIP attacks, but we began to notice that some of the attempts were nearing DDOS proportions and went looking a bit deeper. The short story is that we discovered that 80% of the hacking traffic was coming from the same BGP ASN: AS12876. Once we blocked all of the subnets for AS12876, the SIP hacking volume plummeted. Feel free to research and comment. But here are the quick and dirty IPTABLES commands to block AS12876:

    sudo iptables -I INPUT -s 51.15.0.0/16 -j DROP
    sudo iptables -I INPUT -s 62.4.0.0/19 -j DROP
    sudo iptables -I INPUT -s 62.210.0.0/16 -j DROP
    sudo iptables -I INPUT -s 151.115.0.0/16 -j DROP
    sudo iptables -I INPUT -s 163.172.0.0/16 -j DROP
    sudo iptables -I INPUT -s 163.172.208.0/20 -j DROP
    sudo iptables -I INPUT -s 195.154.0.0/16 -j DROP
    sudo iptables -I INPUT -s 212.47.224.0/19 -j DROP
    sudo iptables -I INPUT -s 12.83.128.0/19 -j DROP
    sudo iptables -I INPUT -s 212.83.160.0/19 -j DROP
    sudo iptables -I INPUT -s 212.129.0.0/18 -j DROP


    Best,

    Kirk
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,321
    Likes Received:
    253
    I have a list of 7600 items in my IP Tables on my router that are being blocked, many /22 or larger.
    Although the ones listed above are not in there... I'll keep this in mind. Thanks for sharing.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    DSXDATA likes this.
Thread Status:
Not open for further replies.