Is this a DDoS to reach Asterisk?

Home » Asterisk Users » Is this a DDoS to reach Asterisk?
Asterisk Users 3 Comments

Hi Everyone,

I have pfSense running which supplies Asterisk with DHCP. I had some testing
ports opened for a web server which I have totally closed now but when I
chose option 10 (filter log) on pfSense I get all of this type of traffic
(note that it was only 1 single IP and once I blocked that one it was like
opening a can full of bees with all different IPs):

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
000000 rule 70/0(match): block in on vr1: 221.132.34.165.33556 >
69.90.78.53.52229: tcp 20 [bad hdr length 0 – too short, < 20]
6. 239658 rule 70/0(match): block in on vr1: 121.207.254.227.6667 >
69.90.78.38.3072: tcp 24 [bad hdr length 0 – too short, < 20]
7. 986724 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
69.90.78.62.445: tcp 28 [bad hdr length 0 – too short, < 20]
2. 867707 rule 70/0(match): block in on vr1: 61.231.237.223.4155 >
69.90.78.62.445: tcp 28 [bad hdr length 0 – too short, < 20]
2. 799337 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
69.90.78.56.445: tcp 28 [bad hdr length 0 – too short, < 20]
2. 931814 rule 70/0(match): block in on vr1: 186.36.73.212.4545 >
69.90.78.56.445: tcp 28 [bad hdr length 0 – too short, < 20]
1. 574556 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
69.90.78.43.445: tcp 28 [bad hdr length 0 – too short, < 20]
2. 956066 rule 70/0(match): block in on vr1: 190.7.59.45.1341 >
69.90.78.43.445: tcp 28 [bad hdr length 0 – too short, < 20]
1. 598334 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
69.90.78.42.445: tcp 20 [bad hdr length 8 – too short, < 20]
072759 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
69.90.78.43.445: tcp 20 [bad hdr length 8 – too short, < 20]
109451 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
69.90.78.63.445: tcp 28 [bad hdr length 0 – too short, < 20]
2. 731065 rule 70/0(match): block in on vr1: 2.95.19.121.3463 >
69.90.78.42.445: tcp 16 [bad hdr length 12 – too short, < 20]
159413 rule 70/0(match): block in on vr1: 123.192.177.2.54518 >
69.90.78.43.445: tcp 20 [bad hdr length 8 – too short, < 20]
374293 rule 70/0(match): block in on vr1: 219.163.19.138.3723 >
69.90.78.63.445: tcp 16 [bad hdr length 12 – too short, < 20]
10. 234202 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
69.90.78.52.445: tcp 20 [bad hdr length 12 – too short, < 20]
2. 985558 rule 70/0(match): block in on vr1: 189.105.69.200.2413 >
69.90.78.52.445: tcp 20 [bad hdr length 12 – too short, < 20]
13. 236084 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
69.90.78.35.445: tcp 16 [bad hdr length 12 – too short, < 20]
2. 982122 rule 70/0(match): block in on vr1: 82.51.36.230.2923 >
69.90.78.35.445: tcp 16 [bad hdr length 12 – too short, < 20]
18. 493312 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
69.90.78.47.39781: tcp 16 [bad hdr length 12 – too short, < 20]
2. 477084 rule 70/0(match): block in on vr1: 218.16.118.242.80 >
69.90.78.47.39781: tcp 16 [bad hdr length 12 – too short, < 20]
9. 777792 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
69.90.78.54.445: tcp 16 [bad hdr length 12 – too short, < 20]
1. 216002 rule 70/0(match): block in on vr1: 172.168.0.4.1568 >
69.90.78.49.445: [|tcp]
321600 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
69.90.78.55.445: tcp 20 [bad hdr length 8 – too short, < 20]
1. 383839 rule 70/0(match): block in on vr1: 121.243.16.214.1677 >
69.90.78.54.445: [|tcp]
1. 466115 rule 70/0(match): block in on vr1: 72.179.18.165.2854 >
69.90.78.55.445: [|tcp]
7. 977140 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
69.90.78.36.445: [|tcp]
2. 920013 rule 70/0(match): block in on vr1: 41.72.209.67.4532 >
69.90.78.36.445: [|tcp]
29. 032839 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
69.90.78.55.445: [|tcp]
2. 996906 rule 70/0(match): block in on vr1: 201.168.49.13.1404 >
69.90.78.55.445: [|tcp]
62. 079279 rule 70/0(match): block in on vr1: 82.165.131.28.6005 >
69.90.78.47.1024: [|tcp]
34. 224871 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
69.90.78.43.445: [|tcp]
3. 006367 rule 67/0(match): block in on vr1: 77.34.234.241.1899 >
69.90.78.43.445: [|tcp]
20. 274886 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
69.90.78.55.445: [|tcp]
2. 893859 rule 67/0(match): block in on vr1: 66.211.120.62.1132 >
69.90.78.55.445: [|tcp]
28. 739620 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
69.90.78.55.445: [|tcp]
2. 936286 rule 67/0(match): block in on vr1: 117.197.247.151.1042 >
69.90.78.55.445: [|tcp]
1. 207250 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
69.90.78.43.445: [|tcp]
3. 015370 rule 67/0(match): block in on vr1: 118.171.176.188.42965 >
69.90.78.43.445: [|tcp]
7. 088359 rule 67/0(match): block in on vr1: 61.130.103.10 > 69.90.78.42:
[|icmp]
11. 825521 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
69.90.78.33.445: [|tcp]
2. 316564 rule 67/0(match): block in on vr1: 61.130.103.10 > 69.90.78.42:
[|icmp]
626845 rule 67/0(match): block in on vr1: 71.100.221.211.4521 >
69.90.78.33.445: tcp 20 [bad hdr length 8 – too short, < 20]
5. 041794 rule 67/0(match): block in on vr1: 95.224.51.107.1378 >
69.90.78.48.1434: UDP, length 376
8. 978999 rule 67/0(match): block in on vr1: 221.132.34.165.33556 >
69.90.78.53.52229: [|tcp]
8. 067764 rule 67/0(match): block in on vr1: 117.22.229.187.2882 >
69.90.78.36.1434: UDP, length 376
7. 936396 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
69.90.78.59.445: [|tcp]
2. 890145 rule 67/0(match): block in on vr1: 117.211.83.182.1919 >
69.90.78.59.445: [|tcp]
4. 611658 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
69.90.78.43.445: [|tcp]
007399 rule 67/0(match): block in on vr1: 69.39.235.5.5060 >
69.90.78.40.5060: SIP, length: 403
2. 932101 rule 67/0(match): block in on vr1: 61.32.84.165.2561 >
69.90.78.43.445: [|tcp]
14. 157570 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
69.90.78.54.445: [|tcp]
2. 229645 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
69.90.78.54.445: [|tcp]
773124 rule 67/0(match): block in on vr1: 83.239.20.74.3191 >
69.90.78.54.445: [|tcp]
2. 102083 rule 67/0(match): block in on vr1: 75.97.10.248.2556 >
69.90.78.54.445: [|tcp]
6. 378646 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
69.90.78.39.445: [|tcp]
2. 950717 rule 67/0(match): block in on vr1: 114.42.222.45.31689 >
69.90.78.39.445: [|tcp]
6. 111112 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
69.90.78.45.445: [|tcp]
3. 608465 rule 67/0(match): block in on vr1: 186.122.147.6.32221 >
69.90.78.45.445: [|tcp]

Thanks,

3 thoughts on - Is this a DDoS to reach Asterisk?

  • Bruce B wrote:
    Always in cases like this find out what service might be targeted.
    What’s on tcp port 445? Microsoft-Directory Services

    Enough said. The script kiddies have a new tool to play with to break
    into Microsoft based systems…

    Lyle

  • And that’s the problem. There is no such service running or such port is not
    open. They only keep trying this for no reason. It might cost us bandwidth
    for no reason. In fact there is no open ports on our network whatsoever.

    Thanks

  • Welcome to the Internet!

    It’s a fact of life when having equipment connected to the Internet. The
    script kiddies are always probing and trying.

    Lyle

    Bruce B wrote: