Can a bots scanning my server change its source ip? Why do I keep getting attacks even after blocking the IP?

Tono Nam

11/28/23, 11:40 PM

I have a PBX (VOIP server) where phones connect in order to make phone calls. The pbx I am using is Asterisk. That server is not being used and it's only purpose is to analyze attacks.

The PBX service is not important if I wuold have a different service such as a mongodb I am sure bots on the internet will search for vulnerabilities to attack that database.

Anyways I am analysing all the packets that arive to my server on UDP port 5060 (that is where asterisk listens) and the packets that arive look like this:

IP (tos 0x0, ttl 113, id 654, offset 0, flags [none], proto UDP (17), length 521)
    43.249.129.89.58255 > 171.21.78.225.5060: SIP, length: 493
        REGISTER sip:54.84.215.2:5060 SIP/2.0
        To: <sip:[email protected]>
        From: <sip:[email protected]>;tag=824e5f4a7221279e4f7a
        Via: SIP/2.0/UDP 10.4.1.117:58255;branch=z9hG4bK183d5a24-59ec-4f05-8325-747389112824;rport
        Call-ID: e5f4a722128024e4f7a824
        CSeq: 1 REGISTER
        Contact: <sip:[email protected]:58255>
        Expires: 3600
        Max-Forwards: 70
        Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
        User-Agent: PolycomSoundPointIP SPIP_550 UA 3.3.2.0413
        Content-Length: 0

That packet is from a bot because I am NOT sending any packets to my server.

Note that the only purpose of that server is to understand how bots work and see how they attack my server. I am not using that PBX; therefore, any request that comes to that server must come from a malicious bot. Every time I get an UDP packet sent to port 5060 I block that IP address.

Now my question is:

I been running that server for one month and every minute or so I still get attacks. I have blocked over 15,000 IPs! How many bots are there on the internet? Are they changing their source ip address and that is the reason why they keep reaching my server? If they are able to change their source IP is it because I am using UDP protocol? Should I use TCP instead of UDP to resolve this?

Also its funny how the attacks from different ips are so similar. For example they use the same user agent as phone and the attack comes from different ips. It is as if all the bots have the same code.

Once I resolve this problem and understand how bots work I would like to implement that solution on my real server. I am not using the real server for this because filtering the good packets from bad packets will be hard. A solution would be to use a white list of ips on my firewall but I do not want my users to have to do some extra form of authentication specially if they use the service from their mobile phone where its ip address can change a lot.

1 + 3

brute-force-attacks

attacks

ceejayoz

11/29/23, 12:19 AM

"How many bots are there on the internet?" Effectively infinite. Any IP on the internet will get automated scans and attacks non-stop.

Tono Nam

11/29/23, 12:33 AM

I mean how many bots with different source ip address sorry.

ceejayoz

11/29/23, 12:59 AM

Functionally, infinite. They use millions of hacked computers, phones, thermostats, etc. to do this. https://en.wikipedia.org/wiki/Botnet Install something like fail2ban to automatically ban IPs and forget about it.

Score:0

Server

Tono Nam

11/30/23, 2:19 AM

I understand now why people try to keep as many ports closed as possible. In my case I wanted to have ports open and block the attackers. I discovered it is an endless fight.

What I did to resolve the problem was to understand how iptables work. My rules look like this:

~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source        destination
DROP       all  --  0.0.0.0/0     0.0.0.0/0       match-set MyBlackList src
ACCEPT     all  --  0.0.0.0/0     0.0.0.0/0       match-set MyWhiteList src
ACCEPT     tcp  --  0.0.0.0/0     0.0.0.0/0       tcp dpt:5060
DROP       udp  --  0.0.0.0/0     0.0.0.0/0       multiport dports 1:65535
DROP       tcp  --  0.0.0.0/0     0.0.0.0/0       multiport dports 1:65535

Chain FORWARD (policy ACCEPT)
target     prot opt source        destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source        destination

With this rules I am initially only allowing connections to port 5060 via TCP only.

If a phone attempts to connect incorrectly to that port the ip will be added to MyBlackList. If that is the case the attacker will not be able to make further requests.

If a phone connects correctly it will be added to MyWhiteList. If that is the case it will be able to access other ports and make phone calls. If in the future it makes to many invalid requests it can still be added to the MyBlackList.

After using this approach I rarely get attacks. Now I only have 10 ips blocked instead of thousands.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can a bots scanning my server change its source ip? Why do I keep getting attacks even after blocking the IP?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.