Hi,

in case, anyone is interested… I have started compiling a blacklist of hosts and networks from which SIP fraud attempts occur. My criteria currently are:

To block an IP:
– Minimum 3 attacks within one week from the same IP
To block a network:
– Attacks from minimum 3 IPs from that network within 2 weeks Common criteria:
– Provider does not react to complaints OR
– Provider sends autoreply but attacks don’t stop within a week

Definition of attack:
– Minimum 5 attempts to make an unauthorized phone call to a non-PBX-internal number OR
– Minimum 10 attempts to make an unauthorized phone call to a PBX-internal number OR
– Minimum 10 failed authentication attempts

If this happens, the IP gets auto-banned (iptables) for 24 hours and goes to my watch list. The watch list is the base for my further decisions.

Currently, I don’t remove IPs or networks from the list. If I have time and/or motivation I might create some kind of removal process later –
also, depending on how big the list gets and how many people use it.

The list is yet pretty short but for me, it has reduced the noise on my PBX from 20-30 attacks per day to about 2 or 3 per week, especially after most of the Palestinian networks ended up on the list.

You’re free to use the list – own your own responsibility and risk. It’s in the ipdeny.com format, so a simple script can be used to CURL the list and create iptables rules from it. A sample script for something like that is also on my website (check the Linux section).

That’s the website for the list:
http://stefan.gofferje.net/it-stuff/sipfraud/sip-attacker-blacklist

And that’s the download URL:
http://stefan.gofferje.net/sipblocklist.zone

Note that the list is updated every 6h so polling it more often doesn’t help anything. Please limit polling to once a day or so.

-S