Compiled list of SIP bots

Hello Everyone

i have compiled a list of IPs from where i am getting continous INVITE or REGISTER requests on my freepbx host.

I suspect these are either SIP bots or some kind of SIP attack

these individual IPs i have converted to subnets with /16 ip range.

I have made an alias in pfsense and blocked all incoming UDP IPv4 connections in WAN firewall.
Please let me know if any of these subnets are ISPs in your country…
Also as a side note i am using port 5160 instead of 5060

128.90.0.0/16
45.120.0.0/16
45.254.0.0/16
43.249.0.0/16
103.27.0.0/16
103.250.0.0/16
193.46.0.0/16
141.98.0.0/16
45.134.0.0/16
141.98.0.0/16
178.208.0.0/16
69.167.0.0/16
62.210.0.0/16
185.209.0.0/16
31.6.0.0/16
69.166.0.0/16
103.17.0.0/16
103.251.0.0/16
51.38.0.0/16
20.91.0.0/16
43.251.0.0/16
167.94.0.0/16
45.93.0.0/16
80.94.0.0/16
51.195.0.0/16
198.244.0.0/16
38.54.0.0/16
72.251.0.0/16
178.32.0.0/16
104.218.0.0/16
178.32.0.0/16
92.205.0.0/16
45.249.0.0/16

hope you guys find it useful. Will be Updating it regularly

Why not just ask “whois”?

For example

 whois -h whois.cymru.com  '  -v 128.90.0.0/16'
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
22363   | 128.90.0.0       | 128.90.0.0/24       | US | arin     | 1987-12-03 | PHMGMT-AS1, US

You can use the ASN to check for other like minded intrusions,
I will question where you got your arbitrary n.n.0.0/16 subnet from almost all these n.n.0.0 are sub-netted at a more granular level, for more info
https://www.team-cymru.com/ip-asn-mapping

Hello

my intent was not to ask country ISP specifically for each IP…
I just mentioned it for the sake of getting more info on the SIP bots locations.

hello

I used the n.n.0.0/16 subnet as I have seen that there are multiple IPs knocking my SIP server with this subnet like

n.n.x.y
n.n.z.b

but in most cases n.n. remained the same, so i decided to use this subnet for blocking in my use case…

everyone is open to change the subnet as per their requirements or preference.

Then particularly use the attacking host

whois -h whois.cymru.com ’ -v 128.90.x.y’

it will reveal the subnet in which that host exists, but if you simply stop listening for connections to UDP/5060 all this crap will mostly no longer be a problem

you may want to checkout the APIBAN project

They use a series of honeypots to catch bad actors

This seems fantastic. Thanks for sharing.

Why in 2023 is anyone still stuck with messing with UDP/5060 filters ?
(Is your SSH service still on TCP/22 ?, in both cases you are a sitting duck waiting to be shot)

WTF guys ?, please explain why you still do that.

Why are you assuming that we are?

We do have at least one SIP port exposed to the world because of mobile phones, even if it’s random it’s still open.

It literally took me 30 seconds to add APIBAN’s list to our firewall to drop all traffic coming from these IPs to any port.

I guess in my cost/benefit analysis it seemed worth it? I don’t know.

.I am assuming that because if you where not listening to UDP/5060 you would not get any of those connections to filter, if you are, then you will need to be unnecessarily busy;-) does that make sense?
’
It would take a few more minutes to have have your extensions to not use 5060. That is all, then no more of that crap, do you not understand how it works?

What if I want to filter connection to any port from those IPs given that they clearly originate malicious traffic and it takes me all of 30 seconds to make that happen?

In lieu of opening the port, have you tried Responsive Firewall? If that doesn’t work (please explain), open the random port only to the mobile carrier’s AS, rather than looking for addresses to block.

The responsive firewall is on but to me that’s still an open port. Yea it closes off for a specific connection if the connection ends up being illegitimate but the port is still open and accepting traffic and responding to requests coming in on that port for however brief a time period.

but it does not get updated too often…
I have this added to my pfsense firewall and still i am getting hits on my PBX.

You will get endless ‘hits’ while you continue to listen to UDP/5060, but that is your choice to do so you will have to put up with the consequences.

(Still can’t figure out why folks still do that sh1t, go figure)

Changing from 5060 won’t make this magically go away; that’s far from a silver bullet.

Nor is a VPN; unless there is brute-force protection behind it, it will suffer the same brute-force attacks.

The responsive firewall is a critical component. We have one site with Fail2Ban email notifications and we get far, far more emails than we see responsive firewall blocks. This is concerning, and I’ve not had the energy or money to pay for support to figure out/explain what’s going on.

Not a silver bullet, but a recommended prophylactic against blunt force attacks

Not using UDP/5060 will appear almost like magic in reducing these connections, have you ever tried to
do that ?

Using a less travelled transport than UDP/5060 will always be a better choice for anyone.

F2B only looks at the log file it is told to, in your case you will see the floods of connections to port 5060 in that log file. change the transport and do a before/after comparison, you will be surprised

I can count on zero fingers the number of SIP exploits I have seen on Asterisk/FreePBX. In fact if you set up FreePBX in a default configuration it already has a sensible dial plan that prevents external SIP from calling out using your trunks, and it generates long SIP extension passwords. The best way to avoid SIP mishaps is to not change the defaults unless you know what you are doing. The SIP bots are just noise.

It’s all the other services that make up a FreePBX server that actually worry me.

That I totally agree with, all recent successful penetrations have been to unprotected IP based connections (http)

I highly endorse enforced TLS for both HTTP and SIPS. IP based connections should be rejected before they can leak info.