[OpenSIPS-Users] Register attack!

Flavio Goncalves flavio at asteriskguide.com
Wed Nov 3 15:25:34 CET 2010 

Hi Kennard,

The best way to detect is to use the return codes from the functions
www_authorize and proxy_authorize. You can monitor the number of
invalid authentications. I'm  saving the number of invalid
authentications in a cache variable using cache_store() for each
specific IP (invalid_$si cache variable). The list below is from a
previous post made by Bogdan of www_authorize return codes. The return
codes -1 and -2 indicates an attack (or a user setting the wrong
password). The cache variables last for a specific period of time, so
you can use this to block the user for 15 minutes, usually enough to
stop the attacker and allow a new try from a legitimate user.

if (!www_authorize("", "subscriber"))  {
            $var(reg) = $retcode;
            if ($var(reg) < 0)  {
              xlog("L_INFO","$var(reg)");
              switch ($retcode)
              {
                case -5:
                    xlog("L_INFO","Error");
                    break;
                case -4:
                    xlog("L_INFO","Please send new Register with auth info");
                    www_challenge("", "0");
                    exit;
                case -2:
                    xlog("L_INFO","Wrong password");
                    break;
                case -1:
                    xlog("L_INFO","User doesnt exist");
                    break;
                default:
                    xlog("L_INFO","Default");
              }
              sl_send_reply("403","Forbidden");
              exit;
            }
}




--------------------------------------------------
Flavio E. Goncalves
CEO - V.Office
Fone: +554830258590/+554884085000
OpenSIPS Bootcamp (Frankfurt Sep 20-24)




2010/11/3 Kennard White <kennard_white at logitech.com>:
> Hi Flavio,
>
> How did you originally detect these register attacks? Are you using the pike
> module or notice them some other way?
>
> Thanks,
> Kennard
>
> On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves <flavio at asteriskguide.com>
> wrote:
>>
>> Hi,
>>
>> Register attacks are now an epidemy. In most cases they are using the
>> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
>> block is to check the user agent for the words "friendly-scanner"and
>> drop the packets (an attacker could easily change the user agent, but
>> most of them are just script kiddies). There is a good tutorial in the
>> opensips website on how to use fail2ban to block the IP address of the
>> offenders (I think this is the best long term solution).
>>
>> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
>> by the user named aseques)
>>
>> In some cases, when the attacker uses an old version of svcrack.py it
>> floods your server. I have received four gigs of traffic in a single
>> day from just one source. There is a small utility from sipvicious.org
>> called svcrash.py capable to crash the attacker sending a malformed
>> packet.
>>
>> I hope it helps, it has been a pain to handle these attacks everyday.
>> In a normal day we are receiving from 4 to 8 attacks from different
>> sources.
>>
>> Best regards,
>>
>> --------------------------------------------------
>> Flavio E. Goncalves
>> CEO - V.Office
>> Fone: +554830258590/+554884085000
>> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>>
>>
>>
>>
>> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
>> > Hi every body!
>> >
>> > I have a problem with attacker as following:
>> >
>> >
>> > attack                   registrar
>> >
>> > register  ------------->
>> > register  ------------->
>> > ...
>> > register  ------------->
>> >
>> >
>> > Attacker send 200 registers/second so registrar server is error. This
>> > is configuration for register method:
>> >
>> > route[2] {
>> >
>> >  # ----------------------------------------------------------
>> >  # REGISTER Message Handler
>> >  # ----------------------------------------------------------
>> >
>> >  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
>> >    setflag(6);
>> >    fix_nated_register();
>> >    fix_nated_contact();
>> >    force_rport();
>> >  };
>> >
>> >  if (!radius_www_authorize("abc.com")) {
>> >    www_challenge("abc.com", "0");
>> >    exit;
>> >  };
>> >  consume_credentials();
>> >
>> >  if (!save("location")) {
>> >    sl_reply_error();
>> >  };
>> > }
>> >
>> > Please help me,
>> >
>> > Thanks.
>> >
>> > Hung
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

More information about the Users mailing list