Sip attacks and what Data-centre operators can do

More and more we are seeing SIP brute force attacks from hosted servers. These aren’t really hacking attempts as in many cases they just try the same user and password Millions of times.

We block these attacks automatically on out servers but that doesn’t stop the traffic, They carry on till we get the Data-centre to shut-down the server. Which can be difficult.

We have seen attacks recently from Germany on the increase in particular one data-center based in Berlin. The staff here DO NOT respond in a timely manner to abuse reports and it has taken upto 4 days to get the servers shut down. They claim that if they shut the server down it infringes their customers rights. we have pointed out to them that they clearly state in their AUP(below) that the server cannot be used for this purpose.

“a. Utilize the Services to cause denial of service attacks against ***** or other network hosts or Internet users or to otherwise degrade or impair the operation of ******s servers and facilities or the servers and facilities of other network hosts or Internet users;”

And if they do, the server will be shut down. So why don’t some data-centres respond? This is an interesting one, At the data-centre in Berlin the attacks always started round the same time on a Sunday Morning on a clean dedicated server and had all the finger prints of  human not Bot activity, as with bots we see them try a few times and then give up. With these attacks they are started and keep going even when we are dropping all the packets, in this case the Bot moves on.

When the attack is finally stopped we get no explanation or in the case of it taking many days to stop , No apologies or explanations for taking so long.

I do think its time for Data-centre operators to take their AUP’s seriously and enforce what they say.