[OpenSIPS-Users] Register attack!

Brett Nemeroff brett at nemeroff.com
Wed Nov 3 04:33:38 CET 2010


Kennard,
I personally write a log entry each time i get a REGISTER failure. Then use
fail2ban on top of that log. Pike could probably also be used.

-Brett


On Nov 2, 2010, at 10:30 PM, Kennard White <kennard_white at logitech.com>
wrote:

Hi Flavio,

How did you originally detect these register attacks? Are you using the pike
module or notice them some other way?

Thanks,
Kennard

On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves
<flavio at asteriskguide.com>wrote:

> Hi,
>
> Register attacks are now an epidemy. In most cases they are using the
> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
> block is to check the user agent for the words "friendly-scanner"and
> drop the packets (an attacker could easily change the user agent, but
> most of them are just script kiddies). There is a good tutorial in the
> opensips website on how to use fail2ban to block the IP address of the
> offenders (I think this is the best long term solution).
>
> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
> by the user named aseques)
>
> In some cases, when the attacker uses an old version of svcrack.py it
> floods your server. I have received four gigs of traffic in a single
> day from just one source. There is a small utility from sipvicious.org
> called svcrash.py capable to crash the attacker sending a malformed
> packet.
>
> I hope it helps, it has been a pain to handle these attacks everyday.
> In a normal day we are receiving from 4 to 8 attacks from different
> sources.
>
> Best regards,
>
> --------------------------------------------------
> Flavio E. Goncalves
> CEO - V.Office
> Fone: +554830258590/+554884085000
> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>
>
>
>
> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
> > Hi every body!
> >
> > I have a problem with attacker as following:
> >
> >
> > attack                   registrar
> >
> > register  ------------->
> > register  ------------->
> > ...
> > register  ------------->
> >
> >
> > Attacker send 200 registers/second so registrar server is error. This
> > is configuration for register method:
> >
> > route[2] {
> >
> >  # ----------------------------------------------------------
> >  # REGISTER Message Handler
> >  # ----------------------------------------------------------
> >
> >  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
> >    setflag(6);
> >    fix_nated_register();
> >    fix_nated_contact();
> >    force_rport();
> >  };
> >
> >  if (!radius_www_authorize("abc.com")) {
> >    www_challenge("abc.com", "0");
> >    exit;
> >  };
> >  consume_credentials();
> >
> >  if (!save("location")) {
> >    sl_reply_error();
> >  };
> > }
> >
> > Please help me,
> >
> > Thanks.
> >
> > Hung
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20101102/989dd4a7/attachment.htm 


More information about the Users mailing list