[OpenSIPS-Users] Register attack!

[Flavio Goncalves]

Hi Saul,

I did like your solution. My only concern about Pike was to block
legitimate traffic. A SIP dialer can easily get to the pike threshold,
but doing pike_check_req() just for register, options and bye requests
seems to avoid this.

The only "but" is,  the attack can also be done using INVITE and using
Pike with INVITE can make you drop legitimate traffic, my initial
concern. I think, that detecting authentication requests with wrong
passwords or inexistent users is still the most generic solution. Just
an opinion.

Best regards,

Flavio E. Goncalves
CEO - V.Office
OpenSIPS Bootcamp (New Jersey, NY  Nov. 15-19)




2010/11/3 Saúl Ibarra Corretgé <saul at ag-projects.com>:
> On 11/03/2010 04:00 PM, Hung Nguyen wrote:
>> Hi all, thanks for reply.
>>
>> I have tested with pike module. It is very simple.
>>
>> ------
>> modparam("pike", "sampling_time_unit", 3)
>> modparam("pike", "reqs_density_per_unit", 20)
>>
>> if (method = 'REGISTER | OPTION | BYE') {
>>        if (!pike_check_req()) {
>>            #TODO: do anything if you want
>>            drop();
>>            exit;
>>        }
>> }
>> ------
>>
>> I tested with sipvicious, about 5 second pike detect flood =>  drop
>> packet or send 200 OK for register (svcrash.py will stop).
>> You can be blook flooding with any method.
>>
>
> Take into account that with pike module you are dropping the packets at
> the application level, but they still enter the system. As the pike
> module also generates syslog messages, you may want to use them in
> combination with some other tool in order to block the traffic with
> iptables, for example.
>
>
> Regards,
>
> --
> Saúl Ibarra Corretgé
> AG Projects
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>