[OpenSIPS-Users] Register attack!

Brett Nemeroff brett at nemeroff.com
Mon Nov 15 16:26:13 CET 2010


On Wed, Nov 3, 2010 at 12:23 PM, Flavio Goncalves <flavio at voffice.com.br>wrote:

> Hi Saul,
>
> I did like your solution. My only concern about Pike was to block
> legitimate traffic. A SIP dialer can easily get to the pike threshold,
> but doing pike_check_req() just for register, options and bye requests
> seems to avoid this.
>
> The only "but" is,  the attack can also be done using INVITE and using
> Pike with INVITE can make you drop legitimate traffic, my initial
> concern. I think, that detecting authentication requests with wrong
> passwords or inexistent users is still the most generic solution. Just
> an opinion.
>
>
I personally just log each time there is an attempt from an unknown IP or
invalid user then just let fail2ban manage the threshold. Seems to work
pretty well.

The only thing that is really missing is a sort of system wide blacklist. If
one of my severs is blocking offending traffic, I'd like all of them to go
ahead and block it. I've done something like this by using fail2ban to post
(via HTTP) the attacker information to another server.. That server uses
fail2ban to scrape the http logs and blocks the offending traffic as well..
Works well for hub and spoke, but not for mesh setups.

-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20101115/4a8a4d7d/attachment.htm>


More information about the Users mailing list