[OpenSIPS-Users] Register attack!

Hung Nguyen hungbk546 at gmail.com
Wed Nov 3 16:00:05 CET 2010 

Hi all, thanks for reply.

I have tested with pike module. It is very simple.

------
modparam("pike", "sampling_time_unit", 3)
modparam("pike", "reqs_density_per_unit", 20)

if (method = 'REGISTER | OPTION | BYE') {
      if (!pike_check_req()) {
          #TODO: do anything if you want
          drop();
          exit;
      }
}
------

I tested with sipvicious, about 5 second pike detect flood => drop
packet or send 200 OK for register (svcrash.py will stop).
You can be blook flooding with any method.


best regards,
Nguyen Hung.

On 11/3/10, Flavio Goncalves <flavio at asteriskguide.com> wrote:
> Hi Kennard,
>
> The best way to detect is to use the return codes from the functions
> www_authorize and proxy_authorize. You can monitor the number of
> invalid authentications. I'm  saving the number of invalid
> authentications in a cache variable using cache_store() for each
> specific IP (invalid_$si cache variable). The list below is from a
> previous post made by Bogdan of www_authorize return codes. The return
> codes -1 and -2 indicates an attack (or a user setting the wrong
> password). The cache variables last for a specific period of time, so
> you can use this to block the user for 15 minutes, usually enough to
> stop the attacker and allow a new try from a legitimate user.
>
> if (!www_authorize("", "subscriber"))  {
>             $var(reg) = $retcode;
>             if ($var(reg) < 0)  {
>               xlog("L_INFO","$var(reg)");
>               switch ($retcode)
>               {
>                 case -5:
>                     xlog("L_INFO","Error");
>                     break;
>                 case -4:
>                     xlog("L_INFO","Please send new Register with auth
> info");
>                     www_challenge("", "0");
>                     exit;
>                 case -2:
>                     xlog("L_INFO","Wrong password");
>                     break;
>                 case -1:
>                     xlog("L_INFO","User doesnt exist");
>                     break;
>                 default:
>                     xlog("L_INFO","Default");
>               }
>               sl_send_reply("403","Forbidden");
>               exit;
>             }
> }
>
>
>
>
> --------------------------------------------------
> Flavio E. Goncalves
> CEO - V.Office
> Fone: +554830258590/+554884085000
> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>
>
>
>
> 2010/11/3 Kennard White <kennard_white at logitech.com>:
>> Hi Flavio,
>>
>> How did you originally detect these register attacks? Are you using the
>> pike
>> module or notice them some other way?
>>
>> Thanks,
>> Kennard
>>
>> On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves
>> <flavio at asteriskguide.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> Register attacks are now an epidemy. In most cases they are using the
>>> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
>>> block is to check the user agent for the words "friendly-scanner"and
>>> drop the packets (an attacker could easily change the user agent, but
>>> most of them are just script kiddies). There is a good tutorial in the
>>> opensips website on how to use fail2ban to block the IP address of the
>>> offenders (I think this is the best long term solution).
>>>
>>> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
>>> by the user named aseques)
>>>
>>> In some cases, when the attacker uses an old version of svcrack.py it
>>> floods your server. I have received four gigs of traffic in a single
>>> day from just one source. There is a small utility from sipvicious.org
>>> called svcrash.py capable to crash the attacker sending a malformed
>>> packet.
>>>
>>> I hope it helps, it has been a pain to handle these attacks everyday.
>>> In a normal day we are receiving from 4 to 8 attacks from different
>>> sources.
>>>
>>> Best regards,
>>>
>>> --------------------------------------------------
>>> Flavio E. Goncalves
>>> CEO - V.Office
>>> Fone: +554830258590/+554884085000
>>> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>>>
>>>
>>>
>>>
>>> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
>>> > Hi every body!
>>> >
>>> > I have a problem with attacker as following:
>>> >
>>> >
>>> > attack                   registrar
>>> >
>>> > register  ------------->
>>> > register  ------------->
>>> > ...
>>> > register  ------------->
>>> >
>>> >
>>> > Attacker send 200 registers/second so registrar server is error. This
>>> > is configuration for register method:
>>> >
>>> > route[2] {
>>> >
>>> >  # ----------------------------------------------------------
>>> >  # REGISTER Message Handler
>>> >  # ----------------------------------------------------------
>>> >
>>> >  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
>>> >    setflag(6);
>>> >    fix_nated_register();
>>> >    fix_nated_contact();
>>> >    force_rport();
>>> >  };
>>> >
>>> >  if (!radius_www_authorize("abc.com")) {
>>> >    www_challenge("abc.com", "0");
>>> >    exit;
>>> >  };
>>> >  consume_credentials();
>>> >
>>> >  if (!save("location")) {
>>> >    sl_reply_error();
>>> >  };
>>> > }
>>> >
>>> > Please help me,
>>> >
>>> > Thanks.
>>> >
>>> > Hung
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at lists.opensips.org
>>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>> >
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

More information about the Users mailing list