[OpenSIPS-Users] Register attack!
Adrian Georgescu
ag at ag-projects.com
Wed Nov 10 19:21:45 CET 2010
This could be improved by profiling the traffic per customer and pike it accordingly.
Adrian
On Nov 3, 2010, at 6:23 PM, Flavio Goncalves wrote:
> Hi Saul,
>
> I did like your solution. My only concern about Pike was to block
> legitimate traffic. A SIP dialer can easily get to the pike threshold,
> but doing pike_check_req() just for register, options and bye requests
> seems to avoid this.
>
> The only "but" is, the attack can also be done using INVITE and using
> Pike with INVITE can make you drop legitimate traffic, my initial
> concern. I think, that detecting authentication requests with wrong
> passwords or inexistent users is still the most generic solution. Just
> an opinion.
>
> Best regards,
>
> Flavio E. Goncalves
> CEO - V.Office
> OpenSIPS Bootcamp (New Jersey, NY Nov. 15-19)
>
>
>
>
> 2010/11/3 Saúl Ibarra Corretgé <saul at ag-projects.com>:
>> On 11/03/2010 04:00 PM, Hung Nguyen wrote:
>>> Hi all, thanks for reply.
>>>
>>> I have tested with pike module. It is very simple.
>>>
>>> ------
>>> modparam("pike", "sampling_time_unit", 3)
>>> modparam("pike", "reqs_density_per_unit", 20)
>>>
>>> if (method = 'REGISTER | OPTION | BYE') {
>>> if (!pike_check_req()) {
>>> #TODO: do anything if you want
>>> drop();
>>> exit;
>>> }
>>> }
>>> ------
>>>
>>> I tested with sipvicious, about 5 second pike detect flood => drop
>>> packet or send 200 OK for register (svcrash.py will stop).
>>> You can be blook flooding with any method.
>>>
>>
>> Take into account that with pike module you are dropping the packets at
>> the application level, but they still enter the system. As the pike
>> module also generates syslog messages, you may want to use them in
>> combination with some other tool in order to block the traffic with
>> iptables, for example.
>>
>>
>> Regards,
>>
>> --
>> Saúl Ibarra Corretgé
>> AG Projects
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
More information about the Users
mailing list