[OpenSIPS-Users] Register attack!

Kennard White kennard_white at logitech.com
Wed Nov 3 04:29:55 CET 2010


Hi Flavio,

How did you originally detect these register attacks? Are you using the pike
module or notice them some other way?

Thanks,
Kennard

On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves
<flavio at asteriskguide.com>wrote:

> Hi,
>
> Register attacks are now an epidemy. In most cases they are using the
> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
> block is to check the user agent for the words "friendly-scanner"and
> drop the packets (an attacker could easily change the user agent, but
> most of them are just script kiddies). There is a good tutorial in the
> opensips website on how to use fail2ban to block the IP address of the
> offenders (I think this is the best long term solution).
>
> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
> by the user named aseques)
>
> In some cases, when the attacker uses an old version of svcrack.py it
> floods your server. I have received four gigs of traffic in a single
> day from just one source. There is a small utility from sipvicious.org
> called svcrash.py capable to crash the attacker sending a malformed
> packet.
>
> I hope it helps, it has been a pain to handle these attacks everyday.
> In a normal day we are receiving from 4 to 8 attacks from different
> sources.
>
> Best regards,
>
> --------------------------------------------------
> Flavio E. Goncalves
> CEO - V.Office
> Fone: +554830258590/+554884085000
> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>
>
>
>
> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
> > Hi every body!
> >
> > I have a problem with attacker as following:
> >
> >
> > attack                   registrar
> >
> > register  ------------->
> > register  ------------->
> > ...
> > register  ------------->
> >
> >
> > Attacker send 200 registers/second so registrar server is error. This
> > is configuration for register method:
> >
> > route[2] {
> >
> >  # ----------------------------------------------------------
> >  # REGISTER Message Handler
> >  # ----------------------------------------------------------
> >
> >  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
> >    setflag(6);
> >    fix_nated_register();
> >    fix_nated_contact();
> >    force_rport();
> >  };
> >
> >  if (!radius_www_authorize("abc.com")) {
> >    www_challenge("abc.com", "0");
> >    exit;
> >  };
> >  consume_credentials();
> >
> >  if (!save("location")) {
> >    sl_reply_error();
> >  };
> > }
> >
> > Please help me,
> >
> > Thanks.
> >
> > Hung
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20101102/5de80252/attachment.htm 


More information about the Users mailing list