- Joined
- Aug 25, 2008
- Messages
- 18
- Likes
- 0
- Points
- 0
One of my customers was hit by a vishing attack through their Elastix box. The attack was coming from a machine owned by a company in Austin Texas that was in a Colo, they were unaware of any issues until I called them. IN a period of about 36 hours about 8,500 calls were made.
I'm still trying to understand exactly how the attack functioned. This system was still being tested, and admittedly had weak SIP secrets. However, I have not seen anything in the Asterisk logs indicating a dictionary attack. Is there somewhere else I should be looking? Never a failed registration, just all of a sudden outgoing calls started. Did they really guess an extension and a SIP secret the first time out?
I may open a paid support ticket to discuss this but if anyone else has any thoughts I'd appreciate it. I have a need for remote extensions on some of my systems and to this point have been doing it without VPN. With this attack I question if it is wise to have port 5060 open to the world.
Anyone else having problems like this?
I'm still trying to understand exactly how the attack functioned. This system was still being tested, and admittedly had weak SIP secrets. However, I have not seen anything in the Asterisk logs indicating a dictionary attack. Is there somewhere else I should be looking? Never a failed registration, just all of a sudden outgoing calls started. Did they really guess an extension and a SIP secret the first time out?
I may open a paid support ticket to discuss this but if anyone else has any thoughts I'd appreciate it. I have a need for remote extensions on some of my systems and to this point have been doing it without VPN. With this attack I question if it is wise to have port 5060 open to the world.
Anyone else having problems like this?