<div dir="ltr"><div class="gmail_quote">On Tue, Oct 23, 2012 at 7:40 PM, ik <span dir="ltr"><<a href="mailto:idokan@gmail.com" target="_blank">idokan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
><br><div class="im">
> If so - are you sure they're _attacking_ you? Absolutely positive that what<br>
> you're seeing is NOT returning packets for packets that have originated from<br>
> YOUR network? (could be internal computers with malware...)<br>
<br>
</div>I see the automated scanners in the log, trying to do stuff, but they<br>
are very narrow cans for specific tasks of specific servers.<br>
For example attempting to connect to SIP extensions on Asterisk and try to dial.<br>
<div class="im"><br></div></blockquote><div><br>I can only answer to the scenario's you're giving. So I'll have to start with SIP.<br><br>SIP as a protocol has a feature that allows you to re-route the RTP stream over the fly between different endpoints.<br>
<br>Common case I can think of: <br><br>* Your Asterisk box is connecting to an external SIP termination service;<br>* Your Asterisk has canreinvite=1 for endpoints. <br>* You start a call to a number that belongs on the SIP termination service trunk<br>
* The call is answered<br>* If the endpoint can reach the Internet, there's really no point in sending all the RTP traffic through Asterisk (unless it's doing MeetMe conferencing, IVR et al...)<br>* SIP renegotiates the streams to go directly from your endpoint to the media gateway on the other side<br>
* Your firewall is SIP aware, reads the traffic, allows RTP to 'punch a hole through the firewall' - even though you have no specific rule. (search for SIP ALG (=Application Level Gateway) in your FW settings)<br>
* The RTP stream could look like an attack attempt of "UDP traffic at a random high port number"...<br><br>Makes any sense?<br><br>-- Shimi<br></div></div></div>