Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
4
Replies

ExpressWay Trickle Brute Force

Go to solution
RITR
Level 1
Level 1

‎06-22-2023 02:26 PM - edited ‎06-22-2023 02:28 PM

Someone was (I blocked it manually from net fw) slowly trying different SIP URLs looking for valid ones. It was about one try every 30 - 90 seconds. I'm not seeing related events in the ExpressWay-Core so I'm assuming it blocked it. We only use it for Webex trunking and MRA. Is the 404 coming simply from the Edge or is actually checking something and returning a real "[user] not found"? My concern is I don't want it to get a valid response if it stumbles across a valid URL.

Log snippet:

 

 

- datetime	tvcs: Event="Call Rejected" Service="SIP" Src-ip="[hackerip]" Src-port="29777" Src-alias-type="SIP" Src-alias="sip:[ourdomain].com" Dst-alias-type="SIP" Dst-alias="sip:[johndoe]@[ourdomain].com" Call-serial-number="8e35802a-bb6f-463d-913b-d0fda2ea455f" Tag="1ff5e867-a566-4e1a-8b0c-b230c7bf5773" Detail="Not Found" Protocol="TLS" Response-code="404" Level="1" UTCTime="datetime"
- datetime	tvcs: Event="Search Completed" Reason="Not Found" Service="SIP" Src-ip="[hackerip]" Src-port="29777" Src-alias-type="SIP" Src-alias="[ourdomain].com" Dst-alias-type="SIP" Dst-alias="sip:[johndoe]@[ourdomain].com" Call-serial-number="8e35802a-bb6f-463d-913b-d0fda2ea455f" Tag="1ff5e867-a566-4e1a-8b0c-b230c7bf5773" Detail="found:false, searchtype:INVITE, Info:Policy Response" Protocol="TCP" Level="1" UTCTime="datetime"
- datetime	tvcs: Event="Search Attempted" Service="SIP" Src-alias-type="SIP" Src-alias="[ourdomain].com" Dst-alias-type="SIP" Dst-alias="sip:[johndoe]@[ourdomain].com" Call-serial-number="8e35802a-bb6f-463d-913b-d0fda2ea455f" Tag="1ff5e867-a566-4e1a-8b0c-b230c7bf5773" Detail="searchtype:INVITE" Level="1" UTCTime="datetime"
- datetime	tvcs: Event="Call Attempted" Service="SIP" Src-ip="[hackerip]" Src-port="29777" Src-alias-type="SIP" Src-alias="sip:[ourdomain].com" Dst-alias-type="SIP" Dst-alias="sip:[johndoe]@[ourdomain].com" Call-serial-number="8e35802a-bb6f-463d-913b-d0fda2ea455f" Tag="1ff5e867-a566-4e1a-8b0c-b230c7bf5773" Protocol="TLS" Auth="NO" Level="1" UTCTime="datetime"

 

 

 

Labels:
0 Helpful