Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   UK VOIP (http://www.velocityreviews.com/forums/f34-uk-voip.html)
-   -   Re: Opal Telecom IP address in logs (http://www.velocityreviews.com/forums/t643288-re-opal-telecom-ip-address-in-logs.html)

Theo Markettos 11-06-2008 03:11 PM

Re: Opal Telecom IP address in logs
 
Jono <nothanks@blueyonder.invalid> wrote:
> Hello,
>
> Anyone help me understand why, in the slightly inadequate logs of my
> router, I might have an Opal Telecom IP address (78.150.205.141) as an
> accepted inbound connection on port 5065?
>
> 5065 is part of a range forwarded to my Asterisk server.


VOIP attack?
http://www.ipcom.at/index.php?id=565

Since SIP is UDP it's easy to fake the originator's address.

Theo

Theo Markettos 11-06-2008 06:47 PM

Re: Opal Telecom IP address in logs
 
Jono <nothanks@blueyonder.invalid> wrote:
> Is there something I can type at the CLI to discover things?
>
> Netstat -a doesn't yield anything significant.


If you want to keep an eye on what happens in future, try
asterisk -r -vvvv -dddd
(alter the number of vs and ds to taste)
That'll open a console and log to it. You can also tweak asterisk's
logger.conf if you want this on all the time and logged to a file.

Whether there's anything in the logs will depend on what it was set to in
the past, but try looking in /var/log/asterisk

There's not much to see on the router unless you want to set up your
firewall rules to log incoming SIP packets. netstat will only show a UDP
socket listening; because UDP is connectionless it doesn't know about any
open connections. But if it's going through NAT the masquerading table may
have a record until the connection expires (minutes, probably).

Theo

Gordon Henderson 11-06-2008 10:14 PM

Re: Opal Telecom IP address in logs
 
In article <mn.34127d8b5ed747f5.88534@blueyonder.invalid>,
Jono <nothanks@blueyonder.invalid> wrote:
>on 06/11/2008, Theo Markettos supposed :
>> Jono <nothanks@blueyonder.invalid> wrote:
>>> Hello,
>>>
>>> Anyone help me understand why, in the slightly inadequate logs of my
>>> router, I might have an Opal Telecom IP address (78.150.205.141) as an
>>> accepted inbound connection on port 5065?
>>>
>>> 5065 is part of a range forwarded to my Asterisk server.

>>
>> VOIP attack?
>> http://www.ipcom.at/index.php?id=565
>>
>> Since SIP is UDP it's easy to fake the originator's address.
>>
>> Theo

>
>Hmm.
>
>Is there something I can type at the CLI to discover things?
>
>Netstat -a doesn't yield anything significant.


On the asterisk box, you can start to run tcpdump (or tshark),
so use sip show peers at the asterisk cli to get their ip addresses,
then something like:

tcpdump -n not host 1.2.3.4 and not host 3.4.5.6

where those IP addresses are known IP addresses (given by sip show
peers)

Then you'll see all traffic that's not from sites you know. You'll see
lots of other stuff too - lots of broadcasts from other machines on your
LAN which if you know them, you can start to filter out with more

and not host n.n.n.n

etc.

Gordon

Gordon Henderson 11-07-2008 08:54 AM

Re: Opal Telecom IP address in logs
 
In article <mn.39ea7d8b34af6e79.88534@blueyonder.invalid>,
Jono <nothanks@blueyonder.invalid> wrote:
>Gordon Henderson formulated on Thursday :
>> In article <mn.34127d8b5ed747f5.88534@blueyonder.invalid>,
>> Jono <nothanks@blueyonder.invalid> wrote:
>>> on 06/11/2008, Theo Markettos supposed :
>>>> Jono <nothanks@blueyonder.invalid> wrote:
>>>>> Hello,
>>>>>
>>>>> Anyone help me understand why, in the slightly inadequate logs of my
>>>>> router, I might have an Opal Telecom IP address (78.150.205.141) as an
>>>>> accepted inbound connection on port 5065?
>>>>>
>>>>> 5065 is part of a range forwarded to my Asterisk server.
>>>>
>>>> VOIP attack?
>>>> http://www.ipcom.at/index.php?id=565
>>>>
>>>> Since SIP is UDP it's easy to fake the originator's address.
>>>>
>>>> Theo
>>>
>>> Hmm.
>>>
>>> Is there something I can type at the CLI to discover things?
>>>
>>> Netstat -a doesn't yield anything significant.

>>
>> On the asterisk box, you can start to run tcpdump (or tshark),
>> so use sip show peers at the asterisk cli to get their ip addresses,
>> then something like:
>>
>> tcpdump -n not host 1.2.3.4 and not host 3.4.5.6
>>
>> where those IP addresses are known IP addresses (given by sip show
>> peers)
>>
>> Then you'll see all traffic that's not from sites you know. You'll see
>> lots of other stuff too - lots of broadcasts from other machines on your
>> LAN which if you know them, you can start to filter out with more
>>
>> and not host n.n.n.n

>
>Thanks....getting there.
>
>Why isn't there an opposite of NOT in this case?....or is there?


Well yes, you just drop 'not' ... But it depends on what you're looking
for - if you're looking for a know IP address then just put in there:

host 1.2.3.4

if you're looking for things you don't know, then you need to eliminate
things you do know about first, so:

not net 192.168.1.0/24

will make it ignore your local network (if it's 192.168.1.0/24) and so
on. (actually a very good thing if you're looking for remote stuff
connecting in)

So:

tcpdump -n not net 192.168.1.0/24 and not host 81.31.100.110

where 81.31.100.110 is the IP of a "known" peer will show up everything
else.

Check the manuals for more runes - the matcing stuff works with both
thcpump and tshark (or wireshark)

Gordon

alexd 11-07-2008 11:34 PM

Re: Opal Telecom IP address in logs
 
Jono wrote:

> Thanks....
>
> A different Opal Telecom IP has appeared (78.148.10.15).
>
> ...what can I glean from this..?
>
> root@pbx:~ $ tcpdump -v host 78.148.10.15
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 96 bytes


> 19:29:21.284879 IP (tos 0xa0, ttl 49, id 0, offset 0, flags [DF],
> proto: UDP (17), length: 691) 78.148.10.15.epnsdp > 192.168.3.2.ca-2: UDP,
> length 663


78.148.10.15 is trying to send data to your port 5065.

> 19:29:21.348057 IP (tos 0xc0, ttl 64, id 43954, offset 0, flags
> [none], proto: ICMP (1), length: 576) 192.168.3.2 > 78.148.10.15: ICMP
> 192.168.3.2 udp port ca-2 unreachable, length 556 IP (tos 0xa0, ttl 49,
> id 0, offset 0, flags [DF], proto: UDP (17), length: 691)
> 78.148.10.15.epnsdp > 192.168.3.2.ca-2: UDP, length 663[|icmp]


No can do, Mr 78.148.10.15. The whole sequence is then repeated twice. You
might do better by writing to a file [-w] then opening it up in Wireshark.
You might want to add -s 0, then you can get the entire packet. There might
even be some SIP headers in it. OTOH, are you sure that port 5065 isn't
some commonly used P2P port, and you're being innocently probed by other
peers?

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
23:24:50 up 23 days, 4:15, 1 user, load average: 0.00, 0.01, 0.02
They call me titless because I have no tits


alexd 11-12-2008 10:46 PM

Re: Opal Telecom IP address in logs
 
Jono wrote:

> So, it looks like nothing untoward is happeneing...?


Without seeing the actual content of the packets, all we can do is
speculate. The only information we have right now is source/destination
port/IP address [aka a datagram socket] and the length of the packet.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
22:42:48 up 28 days, 3:33, 1 user, load average: 0.01, 0.04, 0.04
They call me titless because I have no tits



All times are GMT. The time now is 02:10 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.