[OpenSIPS-Users] Register attack!

Flavio Goncalves flavio at asteriskguide.com
Tue Nov 2 18:40:04 CET 2010 

Hi,

Register attacks are now an epidemy. In most cases they are using the
friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
block is to check the user agent for the words "friendly-scanner"and
drop the packets (an attacker could easily change the user agent, but
most of them are just script kiddies). There is a good tutorial in the
opensips website on how to use fail2ban to block the IP address of the
offenders (I think this is the best long term solution).

http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
by the user named aseques)

In some cases, when the attacker uses an old version of svcrack.py it
floods your server. I have received four gigs of traffic in a single
day from just one source. There is a small utility from sipvicious.org
called svcrash.py capable to crash the attacker sending a malformed
packet.

I hope it helps, it has been a pain to handle these attacks everyday.
In a normal day we are receiving from 4 to 8 attacks from different
sources.

Best regards,

--------------------------------------------------
Flavio E. Goncalves
CEO - V.Office
Fone: +554830258590/+554884085000
OpenSIPS Bootcamp (Frankfurt Sep 20-24)




2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
> Hi every body!
>
> I have a problem with attacker as following:
>
>
> attack                   registrar
>
> register  ------------->
> register  ------------->
> ...
> register  ------------->
>
>
> Attacker send 200 registers/second so registrar server is error. This
> is configuration for register method:
>
> route[2] {
>
>  # ----------------------------------------------------------
>  # REGISTER Message Handler
>  # ----------------------------------------------------------
>
>  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
>    setflag(6);
>    fix_nated_register();
>    fix_nated_contact();
>    force_rport();
>  };
>
>  if (!radius_www_authorize("abc.com")) {
>    www_challenge("abc.com", "0");
>    exit;
>  };
>  consume_credentials();
>
>  if (!save("location")) {
>    sl_reply_error();
>  };
> }
>
> Please help me,
>
> Thanks.
>
> Hung
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

More information about the Users mailing list