[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SIP - perhaps botnet? anyone else seeing this?

Subject: SIP - perhaps botnet? anyone else seeing this?
From: rdobbins at cisco.com (Roland Dobbins)
Date: Fri, 10 Apr 2009 17:18:58 +0800
In-reply-to: <[email protected]>
References: <[email protected]>

On Apr 10, 2009, at 4:45 PM, Leland E. Vandervort wrote:

> UDP SIP Control traffic in our netflow data.

Have you grabbed some packets in order to ensure it's actually SIP,  
vs. something else on the same ports?

If it really is SIP-related, this could be caused by botted hosts  
launching a SIP DDoS, or brute-forcing said SIP services in order to  
steal service for resale, DoS someone else via the service at layer-7  
(i.e., call avallanche), sent VoIP spam, et. al.  You may have botted  
hosts in your hosting space, as well as hosts being scanned as  
potential targets for exploitation.

A quick search-engine query should reveal that this sort of thing has  
been going on for quite some time; I believe there were some  
convictions in NJ or somewhere else in the northeastern US within the  
last year or so.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +852.9133.2844 mobile

   Our dreams are still big; it's just the future that got small.

		   -- Jason Scott

Follow-Ups:
- SIP - perhaps botnet? anyone else seeing this?
  - From: leland at taranta.discpro.org (Leland E. Vandervort)

References:
- SIP - perhaps botnet? anyone else seeing this?
  - From: leland at taranta.discpro.org (Leland E. Vandervort)

Prev by Date: SIP - perhaps botnet? anyone else seeing this?
Next by Date: SIP - perhaps botnet? anyone else seeing this?
Previous by thread: SIP - perhaps botnet? anyone else seeing this?
Next by thread: SIP - perhaps botnet? anyone else seeing this?
Index(es):
- Date
- Thread