I tried to collect a little more information on one of these “attempts” on my system since like others here, they occur about 20-30/day and hit at high speed and run. I’m running:
Asterisk 11.2.1 built by root @ pluto on a x86_64 running Linux on 2013-02-27 17:10:37 UTC
On my asterisk console “asterisk -vvvr” I see:
[Mar 27 10:44:51] NOTICE[14760][C-00001770]: chan_sip.c:25081 handle_request_invite: Sending fake auth rejection for device 220sip:220@50.132.114.182;tag=52f1c7b1
50.132.114.182 is my external IP, changed for posting here.
I left wireshark (ethernet snoop) running to capture one of these events and here is what I see:
41248 282.745440000 37.75.215.95 50.132.114.182 SIP/SDP 797 Request: INVITE sip:99011972543424432@50.132.114.182 | , with session description
Frame 41248: 797 bytes on wire (6376 bits), 797 bytes captured (6376 bits) on interface 0
Ethernet II, Src: Cisco_b0:19:e2 (00:1d:70:b0:19:e2), Dst: AsustekC_0b:bf:ba (54:04:a6:0b:bf:ba)
Internet Protocol Version 4, Src: 37.75.215.95 (37.75.215.95), Dst: 50.132.114.182 (50.132.114.182)
User Datagram Protocol, Src Port: vtsas (5070), Dst Port: sip (5060)
Request-Line: INVITE sip:99011972543424432@50.132.114.182 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.4:5070;branch=z9hG4bK-5b3d7c0241b0370854f9fc0930d95996;rport
I know 192.168.1.4 isn’t my private subnet because my subnet is numbered differently.
I also see the equipment used in this “drive-by” is Cisco, which I interpret as -expensive- and probably a well funded organized effort.
As is typical of these events, a reverse lookup on 37.75.215.95 shows the IP isn’t registered anywhere recognizable.
I wish Asterisk could take these events and after a failed attempt, automatically block the requester. This feature should be countered with being able to unblock a single IP, or never block a specific IP (i.e. if it’s me trying to get my setup running I need to be able to say, this is mine, don’t block it while I continue to make mistakes).
Nice thread. There is obviously a lot of pain over this subject in the Asterisk community. Count me as one of those experiencing pain.