header
 

 

 

Home
About
Articles
Contact Me
Podcasts
Webmail
Search
Upload
Links
Home arrow Articles on toningenieur.info arrow Attacks from plusserver.de
Attacks from plusserver.de Print E-mail
Feb 09, 2014 at 03:55 PM

For the last three days, an amateurish brute force dictionary attack from 188.138.26.154/32 took place and stole my bandwidth with a malicous background (please - who still has unsecure credentials on a publicly available SIP server in 2014?). That IP address belongs to the (in such concerns) not so reputable ISP in germany plusserver.de.

As I was working on something else VoIP related, I finally got tired of the useless 'auth failed' messages clogging my asterisk log and shut down incoming traffic from that IP range yesterday (see the red line indicating the number of blocked packets on the SIP server). Since the attacks still kept on going today, I decided to file a complaint.

I usually do a short screening of an ISP/NOC before I bother writing an abuse mail, since often enough it's simply wasted time as some companies just don't care. Most often this is because they're already fighting "a bigger fire than this one" and do not have the necessary ressources for smaller incidents. I don't know what was the problem at plusserver.de, but I looked hard and could only find negative references on how they react to abuse mails, so I called their customer support directly. Not wanting to presume they have a structural security problem, it had to be an issue with a customer and therefore was of interest to their customer support as well.

The guy at the support hotline at first didn't want to talk to me, since I'm not a customer. I had to remind him several times we're probably talking about one of his customers misbehaviour or even worse and there are other official ways to deal with criminal people that involve way more costs and efforts on both sides. So finally he listened to me, and that was one of his better ideas that day. Funny enough, he still refused to hear further details except for the IP address from where the attack originated. So, assuming a technically educated person and referencing to Occam's Razor, I must assume he already knew what was going on.

I mean, what's wrong with these guys. It's like telling someone "hey, your car leaks oil while you drive" and he answers "don't care, talk to the garage, you're no customer of mine". While he stayed professionally kind and polite during the phone call, there really needs to be some readjustment of the supports attitude, if you ask me.

The good thing about this - they seem to have taken care of this box pretty fast! I don't know if it helped that I reminded him I consider this to be an official abuse report and it's now up to internal procedures to handle their security problem, but I did.

It could be of interest that the support guy also told me "there's no server associated to that IP address", but again, I don't want to insinuate anything here. In fact, I don't care how you use your companies unassigned ressources, but as a matter of fact: There was something switched on and connected to the internet molesting other people. A few minutes after my complaint it stopped - it's as simple as that.

<Previous   Next>
 
Page generated in 0.003108 seconds