[OpenSIPS-Users] Register attack!
Hung Nguyen
hungbk546 at gmail.com
Wed Nov 3 16:00:05 CET 2010
Hi all, thanks for reply.
I have tested with pike module. It is very simple.
------
modparam("pike", "sampling_time_unit", 3)
modparam("pike", "reqs_density_per_unit", 20)
if (method = 'REGISTER | OPTION | BYE') {
if (!pike_check_req()) {
#TODO: do anything if you want
drop();
exit;
}
}
------
I tested with sipvicious, about 5 second pike detect flood => drop
packet or send 200 OK for register (svcrash.py will stop).
You can be blook flooding with any method.
best regards,
Nguyen Hung.
On 11/3/10, Flavio Goncalves <flavio at asteriskguide.com> wrote:
> Hi Kennard,
>
> The best way to detect is to use the return codes from the functions
> www_authorize and proxy_authorize. You can monitor the number of
> invalid authentications. I'm saving the number of invalid
> authentications in a cache variable using cache_store() for each
> specific IP (invalid_$si cache variable). The list below is from a
> previous post made by Bogdan of www_authorize return codes. The return
> codes -1 and -2 indicates an attack (or a user setting the wrong
> password). The cache variables last for a specific period of time, so
> you can use this to block the user for 15 minutes, usually enough to
> stop the attacker and allow a new try from a legitimate user.
>
> if (!www_authorize("", "subscriber")) {
> $var(reg) = $retcode;
> if ($var(reg) < 0) {
> xlog("L_INFO","$var(reg)");
> switch ($retcode)
> {
> case -5:
> xlog("L_INFO","Error");
> break;
> case -4:
> xlog("L_INFO","Please send new Register with auth
> info");
> www_challenge("", "0");
> exit;
> case -2:
> xlog("L_INFO","Wrong password");
> break;
> case -1:
> xlog("L_INFO","User doesnt exist");
> break;
> default:
> xlog("L_INFO","Default");
> }
> sl_send_reply("403","Forbidden");
> exit;
> }
> }
>
>
>
>
> --------------------------------------------------
> Flavio E. Goncalves
> CEO - V.Office
> Fone: +554830258590/+554884085000
> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>
>
>
>
> 2010/11/3 Kennard White <kennard_white at logitech.com>:
>> Hi Flavio,
>>
>> How did you originally detect these register attacks? Are you using the
>> pike
>> module or notice them some other way?
>>
>> Thanks,
>> Kennard
>>
>> On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves
>> <flavio at asteriskguide.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> Register attacks are now an epidemy. In most cases they are using the
>>> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
>>> block is to check the user agent for the words "friendly-scanner"and
>>> drop the packets (an attacker could easily change the user agent, but
>>> most of them are just script kiddies). There is a good tutorial in the
>>> opensips website on how to use fail2ban to block the IP address of the
>>> offenders (I think this is the best long term solution).
>>>
>>> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
>>> by the user named aseques)
>>>
>>> In some cases, when the attacker uses an old version of svcrack.py it
>>> floods your server. I have received four gigs of traffic in a single
>>> day from just one source. There is a small utility from sipvicious.org
>>> called svcrash.py capable to crash the attacker sending a malformed
>>> packet.
>>>
>>> I hope it helps, it has been a pain to handle these attacks everyday.
>>> In a normal day we are receiving from 4 to 8 attacks from different
>>> sources.
>>>
>>> Best regards,
>>>
>>> --------------------------------------------------
>>> Flavio E. Goncalves
>>> CEO - V.Office
>>> Fone: +554830258590/+554884085000
>>> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>>>
>>>
>>>
>>>
>>> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
>>> > Hi every body!
>>> >
>>> > I have a problem with attacker as following:
>>> >
>>> >
>>> > attack registrar
>>> >
>>> > register ------------->
>>> > register ------------->
>>> > ...
>>> > register ------------->
>>> >
>>> >
>>> > Attacker send 200 registers/second so registrar server is error. This
>>> > is configuration for register method:
>>> >
>>> > route[2] {
>>> >
>>> > # ----------------------------------------------------------
>>> > # REGISTER Message Handler
>>> > # ----------------------------------------------------------
>>> >
>>> > if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
>>> > setflag(6);
>>> > fix_nated_register();
>>> > fix_nated_contact();
>>> > force_rport();
>>> > };
>>> >
>>> > if (!radius_www_authorize("abc.com")) {
>>> > www_challenge("abc.com", "0");
>>> > exit;
>>> > };
>>> > consume_credentials();
>>> >
>>> > if (!save("location")) {
>>> > sl_reply_error();
>>> > };
>>> > }
>>> >
>>> > Please help me,
>>> >
>>> > Thanks.
>>> >
>>> > Hung
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at lists.opensips.org
>>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
More information about the Users
mailing list