[OpenSIPS-Users] Register attack!

Bogdan-Andrei Iancu bogdan at voice-system.ro
Wed Nov 10 09:25:27 CET 2010


Hi Flavio,

of course you can  skip from pike check different known traffic sources 
(like diallers, gateways, etc) and also you can do pike check only for 
certain messages (like auth failed because of no user)

Regards,
Bogdan

Flavio Goncalves wrote:
> Hi Saul,
>
> I did like your solution. My only concern about Pike was to block
> legitimate traffic. A SIP dialer can easily get to the pike threshold,
> but doing pike_check_req() just for register, options and bye requests
> seems to avoid this.
>
> The only "but" is,  the attack can also be done using INVITE and using
> Pike with INVITE can make you drop legitimate traffic, my initial
> concern. I think, that detecting authentication requests with wrong
> passwords or inexistent users is still the most generic solution. Just
> an opinion.
>
> Best regards,
>
> Flavio E. Goncalves
> CEO - V.Office
> OpenSIPS Bootcamp (New Jersey, NY  Nov. 15-19)
>
>
>
>
> 2010/11/3 Saúl Ibarra Corretgé <saul at ag-projects.com>:
>   
>> On 11/03/2010 04:00 PM, Hung Nguyen wrote:
>>     
>>> Hi all, thanks for reply.
>>>
>>> I have tested with pike module. It is very simple.
>>>
>>> ------
>>> modparam("pike", "sampling_time_unit", 3)
>>> modparam("pike", "reqs_density_per_unit", 20)
>>>
>>> if (method = 'REGISTER | OPTION | BYE') {
>>>        if (!pike_check_req()) {
>>>            #TODO: do anything if you want
>>>            drop();
>>>            exit;
>>>        }
>>> }
>>> ------
>>>
>>> I tested with sipvicious, about 5 second pike detect flood =>  drop
>>> packet or send 200 OK for register (svcrash.py will stop).
>>> You can be blook flooding with any method.
>>>
>>>       
>> Take into account that with pike module you are dropping the packets at
>> the application level, but they still enter the system. As the pike
>> module also generates syslog messages, you may want to use them in
>> combination with some other tool in order to block the traffic with
>> iptables, for example.
>>
>>
>> Regards,
>>
>> --
>> Saúl Ibarra Corretgé
>> AG Projects
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>     
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
15 - 19 November 2010, Edison, New Jersey, USA
www.voice-system.ro




More information about the Users mailing list