[OpenSIPS-Users] Register attack!

Adrian Georgescu ag at ag-projects.com
Wed Nov 10 19:21:45 CET 2010


This could be improved by profiling the traffic per customer and pike it accordingly.

Adrian

On Nov 3, 2010, at 6:23 PM, Flavio Goncalves wrote:

> Hi Saul,
> 
> I did like your solution. My only concern about Pike was to block
> legitimate traffic. A SIP dialer can easily get to the pike threshold,
> but doing pike_check_req() just for register, options and bye requests
> seems to avoid this.
> 
> The only "but" is,  the attack can also be done using INVITE and using
> Pike with INVITE can make you drop legitimate traffic, my initial
> concern. I think, that detecting authentication requests with wrong
> passwords or inexistent users is still the most generic solution. Just
> an opinion.
> 
> Best regards,
> 
> Flavio E. Goncalves
> CEO - V.Office
> OpenSIPS Bootcamp (New Jersey, NY  Nov. 15-19)
> 
> 
> 
> 
> 2010/11/3 Saúl Ibarra Corretgé <saul at ag-projects.com>:
>> On 11/03/2010 04:00 PM, Hung Nguyen wrote:
>>> Hi all, thanks for reply.
>>> 
>>> I have tested with pike module. It is very simple.
>>> 
>>> ------
>>> modparam("pike", "sampling_time_unit", 3)
>>> modparam("pike", "reqs_density_per_unit", 20)
>>> 
>>> if (method = 'REGISTER | OPTION | BYE') {
>>>        if (!pike_check_req()) {
>>>            #TODO: do anything if you want
>>>            drop();
>>>            exit;
>>>        }
>>> }
>>> ------
>>> 
>>> I tested with sipvicious, about 5 second pike detect flood =>  drop
>>> packet or send 200 OK for register (svcrash.py will stop).
>>> You can be blook flooding with any method.
>>> 
>> 
>> Take into account that with pike module you are dropping the packets at
>> the application level, but they still enter the system. As the pike
>> module also generates syslog messages, you may want to use them in
>> combination with some other tool in order to block the traffic with
>> iptables, for example.
>> 
>> 
>> Regards,
>> 
>> --
>> Saúl Ibarra Corretgé
>> AG Projects
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 




More information about the Users mailing list