nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SIP - perhaps botnet? anyone else seeing this?

From: Roland Dobbins <rdobbins () cisco com>
Date: Fri, 10 Apr 2009 17:18:58 +0800

On Apr 10, 2009, at 4:45 PM, Leland E. Vandervort wrote:


UDP SIP Control traffic in our netflow data.
Have you grabbed some packets in order to ensure it's actually SIP, vs. something else on the same ports?
If it really is SIP-related, this could be caused by botted hosts launching a SIP DDoS, or brute-forcing said SIP services in order to steal service for resale, DoS someone else via the service at layer-7 (i.e., call avallanche), sent VoIP spam, et. al. You may have botted hosts in your hosting space, as well as hosts being scanned as potential targets for exploitation.
A quick search-engine query should reveal that this sort of thing has been going on for quite some time; I believe there were some convictions in NJ or somewhere else in the northeastern US within the last year or so. 

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // +852.9133.2844 mobile

  Our dreams are still big; it's just the future that got small.

                   -- Jason Scott
Previous By Date Next
Previous By Thread Next

Current thread: