14 thoughts on - Numbers Hackers Call

• 972 is Israel

  See: http://en.wikipedia.org/wiki/List_of_country_calling_codes#Ordered_by_code

  —–Original Message—

• I show that as “Israel Cellular Jawall”.

  j

• Hi

  The 11 bit is them thinking there’s some prefix which will cause your PBX
  to become an open relay. The number (97259) is a Palestine Mobile number. These’s a lot of hacking attempts coming from Palestine and this type of number probably has some revenue generation properties to it.

  Regards

  Ish

• http://en.wikipedia.org/wiki/Telephone_numbers_in_Israel

  Looks like it a mobile in Palestine – sure someone from Israel can tell us more….

  2014-03-26 16:05 GMT+01:00 Michelle Dupuis :

• The number is not important i think.

  You need to block those country’s you never use to connect to your asterisk system.

  I bet this call is made from palestine/israel too.

  Best regards.

  Emiliano

  Enviado desde mi BlackBerry de Personal (http://www.personal.com.ar/)

  —–Original Message—

• It’s an international call to +972595XXXXXX, tried with the 00, 001 and no prefix What is confusing?

  Steve

• If this is to 972 area code then the next digits should be 0X or 0XX but they are not. This differs from what I found documented for that area code – I thought someone from the region might add to the discussion. Not sure if this reflected a premium service etc. (But someone jumped in with an explanation)

  I’m guessing you have nothing to add to the discussion?

• I never mentioned the 972 area code. It

• 0X or 0XX is only if you’re in country and need to dial with the 0
  national trunk code (much like dialing 1+ in the US for an in country but long distance call). Someone dialing from outside the country doesn’t need to add the zero, so they just use the 972 country code + 59
  prefix.

• You never dial the local trunk prefix when you’re calling internationally.

• Italy is the only exception where dialing from outside the country requires the leading 0, but that is because the leading 0 isn’t used as a trunk prefix

  The ITU provides copies of each country’s dialing plan for free at http://www.itu.int/oth/T0202.aspx?parent=T0202#A

• Those lame hacking attempts aren’t the big issue – unless you have an insecure SIP-PBX. Germany just got hit with a wave of hacks of Fritz!Box home routers with integrated SIP, causing hundreds of thousands in damage. The big issue is that the ISPs worldwide don’t give a crap about complaints! And that’s not only some backwater-ISPs in some 3rd world countries! It’s mainly the big names, like Hetzner, L3, etc. who – oh well, yeah – send you an autoreply but in the end don’t bother doing anything. Just recently was an article, again in a German IT-newsticker, about Hetzner’s “abuse handling”. They just forward the complaint to their customer, including full contact data – which is pretty much illegal
  (privacy protection, etc.) – but they don’t follow up.

  I got so fed up that I now put the top 20 of attacking IPs to my website…

  Current top 5:
  1. iWeb (Canada)
  2. Level 3 (USA)
  3. Dacom (S-Korea)
  4. Intergenia (Germany)
  5. OVH (France)

  See http://stefan.gofferje.net/it-stuff/sipfraud

  Really, if everybody would run statistics on attacks and publish them, those ISPs would pretty quickly not only start reacting to fouled servers but probably start monitoring proactively because being in the top 20 of attacker-IPs ain’t good for their reputation…

  -S

• I have an iptables file which blocks all traffic except traffic from networks allocated by ARIN or are Legacy networks. I pulled the information from http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

  My iptables script can be found at the link below.

  http://help.nyigc.net/tmp/iptables_geoblock

  It might be helpful to someone.

  —–Original Message—

• Below’s my solution. I specifically block China, Korea and Palestine. That already massively reduced my amount of attacks. I can’t block as much as you because I do allow unregistered inbound SIP calls to sip:stefan@home.mylastname.net. CN, KR and PS are currently the only attack origins from where I wouldn’t expect legit inbound traffic.

  Here’s my script (pulls data from ipdeny.com). The script is called in my primary IPTABLES script after flushing and before my specific ruleset. And it runs on my perimeter firewall.

  WARNING: That’s about 5000 networks to stuff into the tables! My fw is a Phenom 8650 3-core machine and it takes about 8.5 minutes to stuff all the rules into the kernel!

  #!/bin/bash

  IPTABLES=”/sbin/iptables”
  ANY=”0.0.0.0/0″
  BLOCKDIR=”blocklist.d”

  if ! test -d ${BLOCKDIR}; then
  mkdir ${BLOCKDIR}
  fi

  DATE=$(date)

  echo “Country blocking rules…”
  echo “Downloading rules…”

  curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o
  ${BLOCKDIR}/cn.zone || echo “Warning: Couldn’t download CN zone”
  curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o
  ${BLOCKDIR}/kr.zone || echo “Warning: Couldn’t download KR zone”
  curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o
  ${BLOCKDIR}/ps.zone || echo “Warning: Couldn’t download PS zone”

  echo “Done downloading. Setting rules…”

  for FILE in ${BLOCKDIR}/*zone; do
  for ADDRESS in $(cat ${FILE}); do
  echo “Blocking network: ${ADDRESS}…”
  $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP
  $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG –log-prefix
  “Packet log: COUNTRY DROP ”
  $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP
  $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG –log-prefix
  “Packet log: COUNTRY DROP ”
  done done

  echo “Done. Started: ${DATE}, finished: $(date)”