Infiltrated dot Net

VABL 101
Written by sil   

The VoIP Abuse Blacklist has been a work in progress as I sought a mechanism to document attackers. With that said, the new layout will hopefully be more beneficial to PBX administrators. Rather than reinvent wheels, VABL looks up an attacker's information via Shadowserver's lookup and appends three new fields: type of attacker, address and the letters VABL and a number dialed (when appropriate.)

The type of attacker field may make the biggest difference to those who decide to use this list. There are two specific entries that will appear: BRU, ADN and COM. BRU means that the host attempted to bruteforce a PBX while COM signifies that the attacker managed to compromise either a honeypot or a live machine. ADN is when an attacker places a call and is short for Attacker Dialing Numbers. Whenever you see an entry with ADN, there will be an additional field at the end with the number dialed by the attacker appended to it.

Because this project is a hobby project, I will try my best to keep it as up-to-date and as accurate as possible however, work and family come first, so apologies if there are times when it seems to lag. Sincerest thanks to everyone who has offered to send in data, assist with working on the page, assist with deploying honeypots, etc., I do read e-mails and if I don't respond it is likely that I am overwhelmed with many things.


Real Samples:

140.115.71.31 | COM | VABL | 18420 | 140.115.0.0/16 | NCU | TW | NCKU.EDU.TW | TAIWAN ACADEMIC NETWORK
211.233.39.238 | COM | VABL | 3786 | 211.233.0.0/18 | LGDACOM | KR | - | INEMPIRE
60.172.230.110 | COM | VABL | 4134 | 60.168.0.0/13 | CHINANET | CN | CNDATA.COM | CHINANET ANHUI PROVINCE NETWORK
61.56.193.32 | COM | VABL | 9919 | 61.56.192.0/19 | NCIC | TW | - | 3J CORPORATION CO
64.34.165.112 | COM | VABL | 30099 | 64.34.160.0/20 | SB-2 | US | SERVERBEACH.COM | SERVERBEACH
64.34.201.26 | COM | VABL | 30099 | 64.34.200.0/22 | SB-2 | US | SERVERBEACH.COM | SERVERBEACH
68.9.68.125 | COM | VABL | 22773 | 68.9.0.0/16 | ASN-CXA-ALL-CCI-2277 | US | COX.NET | COX COMMUNICATIONS INC
85.214.23.191 | COM | VABL | 6724 | 85.214.0.0/16 | STRATO | DE | STRATOSERVER.NET | STRATO RECHENZENTRUM BERLIN
41.232.96.220 | ADN | VABL | 8452 | 41.232.96.0/22 | TE | EG | TEDATA.NET | AFRINIC | 011251912121891

 

Real Time VoIP Abuse Blacklist

Last Updated on Wednesday, 19 January 2011 20:08