[OpenSIPS-Users] Register attack!

James Mbuthia jmmbuthia at gmail.com
Wed Nov 3 06:56:25 CET 2010


I had the same problem with register attacks, almost crashed my server coz
log files became too huge, a temporary solution is to change the port number
from 5060 to something else as it seems the register scanners attack sip
servers listening on the 5060 port. Adding fail2ban on top of this and
blocking all registers which don't come from your servers adds another layer
of security

On Wed, Nov 3, 2010 at 5:33 AM, Brett Nemeroff <brett at nemeroff.com> wrote:

> Kennard,
> I personally write a log entry each time i get a REGISTER failure. Then use
> fail2ban on top of that log. Pike could probably also be used.
>
> -Brett
>
>
> On Nov 2, 2010, at 10:30 PM, Kennard White <kennard_white at logitech.com>
> wrote:
>
> Hi Flavio,
>
> How did you originally detect these register attacks? Are you using the
> pike module or notice them some other way?
>
> Thanks,
> Kennard
>
> On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves <<flavio at asteriskguide.com>
> flavio at asteriskguide.com> wrote:
>
>> Hi,
>>
>> Register attacks are now an epidemy. In most cases they are using the
>> friendly-scanner (svcrack.py) from <http://sipvicious.org>sipvicious.org.
>> One easy way to
>> block is to check the user agent for the words "friendly-scanner"and
>> drop the packets (an attacker could easily change the user agent, but
>> most of them are just script kiddies). There is a good tutorial in the
>> opensips website on how to use fail2ban to block the IP address of the
>> offenders (I think this is the best long term solution).
>>
>>  <http://www.opensips.org/Resources/DocsTutFail2ban>
>> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
>> by the user named aseques)
>>
>> In some cases, when the attacker uses an old version of svcrack.py it
>> floods your server. I have received four gigs of traffic in a single
>> day from just one source. There is a small utility from
>> <http://sipvicious.org>sipvicious.org
>> called svcrash.py capable to crash the attacker sending a malformed
>> packet.
>>
>> I hope it helps, it has been a pain to handle these attacks everyday.
>> In a normal day we are receiving from 4 to 8 attacks from different
>> sources.
>>
>> Best regards,
>>
>> --------------------------------------------------
>> Flavio E. Goncalves
>> CEO - V.Office
>> Fone: +554830258590/+554884085000
>> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>>
>>
>>
>>
>> 2010/11/2 Hung Nguyen < <hungbk546 at gmail.com>hungbk546 at gmail.com>:
>> > Hi every body!
>> >
>> > I have a problem with attacker as following:
>> >
>> >
>> > attack                   registrar
>> >
>> > register  ------------->
>> > register  ------------->
>> > ...
>> > register  ------------->
>> >
>> >
>> > Attacker send 200 registers/second so registrar server is error. This
>> > is configuration for register method:
>> >
>> > route[2] {
>> >
>> >  # ----------------------------------------------------------
>> >  # REGISTER Message Handler
>> >  # ----------------------------------------------------------
>> >
>> >  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
>> >    setflag(6);
>> >    fix_nated_register();
>> >    fix_nated_contact();
>> >    force_rport();
>> >  };
>> >
>> >  if (!radius_www_authorize(" <http://abc.com>abc.com")) {
>> >    www_challenge(" <http://abc.com>abc.com", "0");
>> >    exit;
>> >  };
>> >  consume_credentials();
>> >
>> >  if (!save("location")) {
>> >    sl_reply_error();
>> >  };
>> > }
>> >
>> > Please help me,
>> >
>> > Thanks.
>> >
>> > Hung
>> >
>> > _______________________________________________
>> > Users mailing list
>> > <Users at lists.opensips.org>Users at lists.opensips.org
>> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>>
>> _______________________________________________
>> Users mailing list
>>  <Users at lists.opensips.org>Users at lists.opensips.org
>>  <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20101103/bd250c6b/attachment-0001.htm 


More information about the Users mailing list