[OpenSIPS-Users] Register attack!
Brett Nemeroff
brett at nemeroff.com
Wed Nov 3 04:33:38 CET 2010
Kennard,
I personally write a log entry each time i get a REGISTER failure. Then use
fail2ban on top of that log. Pike could probably also be used.
-Brett
On Nov 2, 2010, at 10:30 PM, Kennard White <kennard_white at logitech.com>
wrote:
Hi Flavio,
How did you originally detect these register attacks? Are you using the pike
module or notice them some other way?
Thanks,
Kennard
On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves
<flavio at asteriskguide.com>wrote:
> Hi,
>
> Register attacks are now an epidemy. In most cases they are using the
> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
> block is to check the user agent for the words "friendly-scanner"and
> drop the packets (an attacker could easily change the user agent, but
> most of them are just script kiddies). There is a good tutorial in the
> opensips website on how to use fail2ban to block the IP address of the
> offenders (I think this is the best long term solution).
>
> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
> by the user named aseques)
>
> In some cases, when the attacker uses an old version of svcrack.py it
> floods your server. I have received four gigs of traffic in a single
> day from just one source. There is a small utility from sipvicious.org
> called svcrash.py capable to crash the attacker sending a malformed
> packet.
>
> I hope it helps, it has been a pain to handle these attacks everyday.
> In a normal day we are receiving from 4 to 8 attacks from different
> sources.
>
> Best regards,
>
> --------------------------------------------------
> Flavio E. Goncalves
> CEO - V.Office
> Fone: +554830258590/+554884085000
> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>
>
>
>
> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
> > Hi every body!
> >
> > I have a problem with attacker as following:
> >
> >
> > attack registrar
> >
> > register ------------->
> > register ------------->
> > ...
> > register ------------->
> >
> >
> > Attacker send 200 registers/second so registrar server is error. This
> > is configuration for register method:
> >
> > route[2] {
> >
> > # ----------------------------------------------------------
> > # REGISTER Message Handler
> > # ----------------------------------------------------------
> >
> > if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
> > setflag(6);
> > fix_nated_register();
> > fix_nated_contact();
> > force_rport();
> > };
> >
> > if (!radius_www_authorize("abc.com")) {
> > www_challenge("abc.com", "0");
> > exit;
> > };
> > consume_credentials();
> >
> > if (!save("location")) {
> > sl_reply_error();
> > };
> > }
> >
> > Please help me,
> >
> > Thanks.
> >
> > Hung
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20101102/989dd4a7/attachment.htm
More information about the Users
mailing list