Anatomy of a Small VOIP CNE Attack

Fresh from my router. Maybe I am paranoid, but this has all the hallmarks of reconnaissance written all over …

2012 Mar 1 02:25:53 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=115.168.71.84 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060
2012 Feb 27 16:40:39 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=184.107.243.114 DST=192.168.1.248 PROTO=UDP SPT=5064 DPT=5060
2012 Feb 27 05:28:55 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=208.106.250.39 DST=192.168.1.248 PROTO=UDP SPT=5063 DPT=5060
2012 Feb 26 18:51:36 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=184.107.243.114 DST=192.168.1.248 PROTO=UDP SPT=5061 DPT=5060
2012 Feb 25 21:52:15 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=184.107.243.114 DST=192.168.1.248 PROTO=UDP SPT=5063 DPT=5060
2012 Feb 25 11:29:03 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=115.168.71.84 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060
2012 Feb 24 05:08:00 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=65.111.170.208 DST=192.168.1.248 PROTO=UDP SPT=5062 DPT=5060
2012 Feb 23 23:43:28 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=65.111.170.208 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060
2012 Feb 23 18:57:40 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=184.172.12.115 DST=192.168.1.248 PROTO=UDP SPT=5062 DPT=5060
2012 Feb 23 10:20:53 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=208.106.250.39 DST=192.168.1.248 PROTO=UDP SPT=5062 DPT=5060
2012 Feb 21 21:19:59 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=173.242.123.157 DST=192.168.1.248 PROTO=UDP SPT=5062 DPT=5060
2012 Feb 21 02:31:03 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=216.14.120.85 DST=192.168.1.248 PROTO=UDP SPT=5062 DPT=5060
2012 Feb 20 00:09:06 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=174.137.168.61 DST=192.168.1.248 PROTO=UDP SPT=5076 DPT=5060
2012 Feb 18 21:44:33 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=115.168.71.84 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060
2012 Feb 18 09:20:40 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=78.129.240.147 DST=192.168.1.248 PROTO=UDP SPT=5062 DPT=5060
2012 Feb 18 08:16:42 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=209.238.103.193 DST=192.168.1.248 PROTO=UDP SPT=5067 DPT=5060
2012 Feb 18 05:30:49 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=109.169.37.62 DST=192.168.1.248 PROTO=UDP SPT=5066 DPT=5060
2012 Feb 17 10:47:06 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=115.168.71.84 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060
2012 Feb 16 01:26:18 [Gateway] [kernel] WAN2DMZ[DROP] IN=WAN OUT=WAN SRC=85.25.100.44 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060
2012 Feb 15 23:40:58 [Gateway] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=WAN SRC=123.238.137.150 DST=192.168.1.248 PROTO=UDP SPT=5060 DPT=5060

Let’s see: China Telecom, Beijing; iWeb, Montreal; ChrystalTech, Phoenix, AZ; China Telecom, Bejing; etc.

 

Leave a Reply

Your email address will not be published. Required fields are marked *