(Cross posted from The Nir Simionovich blog)
Following yesterday’s post, I’ve decided to take another set of data – this time following the start of the year, with a specific data profile. What is the profile? I will describe:
- The honeypot server in this case was a publically accessible Kamailio server
- The honeypot changed its location and IP every 48 hours, over a period of 2 weeks
- The honeypot was always located in the same Amazon AWS region – in this case N.California
- All calls were replied to with a 200 OK, followed by a playback from an Asterisk server
In this specific case, I wasn’t really interested in the attempted numbers, I was more interested to figure out where attacks are coming from. The results were fairly surprising:
The above table shows a list of attacking IP numbers, the number of attempts from each IP number – and the origin country. For some weird reason, 97% of potential attacks originated in Western Europe. In past years, most of the attempts were located in Eastern European countries and the Far-East, but now this is Mainland Europe (Germany, France, Great Britain).
Can we extrapolate from it a viable security recommendation? absolutely not, it doesn’t mean anything specific – but it could mean one of the following:
- The number of hijacked PBX systems in mainland Europe is growing?
- The number of hijacked Generic services in mainland Europe is growing?
- European VoIP PBX integrators are doing a lousy job at securing their PBX systems?
- European VPS providers pay less attention to security matters?
If you pay attention to the attempts originating in France, you would notice a highly similar IP range – down right to the final Class-C network, that is no coincidence, that is negligence.
Now, let’s dig deeper into France and see where they are attempting to dial:
So, on the face of it, these guys are trying to call the US. I wonder what are these numbers for?
Ok, that’s verizon… let’s dig deeper…
Global Crossing? that is interesting… What else is in there???
So, all these attempts go to Landlines – which means, these attempts are being dialed most probably into another hijacked system – in order to validate success of finding a newly hijacked system.
Well, if you can give me a different explanation – I’m all open for it. Also, if any of the above carriers are reading this, I suggest you investigate these numbers.