[OpenSIPS-Users] Attack with UA: firendly-scanner
Brett Nemeroff
brett at nemeroff.com
Wed Jun 29 00:05:22 CEST 2011
On Tue, Jun 28, 2011 at 4:55 PM, Mike Tesliuk <mike at ultra.net.br> wrote:
> Hello,
>
>
> Im new to Opensips and im getting an attack that i can read the ip just on
> the first register, the attacker are sending my own ip on the sip package
>
>
Welcome to the community!! :) Sorry for the doom and gloom reply....
This is a sipvicious attack. It's a very aggressive type of brute force
attack. Fail2ban is a great intrusion detection system. Google it...
Quick word of advice. These attacks are brutal and very effective. If you
put a SIP server on the internet, it's just a matter of time before you see
this attack. Once they break into your box, they'll stick you on a call
center calling cellphones in Neru which will probably cost you a few dollars
USD per minute. It only takes an hour or so to rack up several thousand
dollars of phone bills. So take it seriously.. I'm *not* exaggerating.
Alternatively, if you are comfortable with checking UA, I'd just drop the
packet rather than put in CPU cycles and reply:
if($ua=~"friendly-scanner"){
drop();
}
These guys will hit your server with a few hundred CPS (I've seen 300CPS
before from this). So don't let your server get wrapped up in replying to
it. Especially don't log each attempt. FWIW, normal syslog writes are fairly
expensive. Be sure to enable async logging in syslog (stick a "-" before the
log file name and restart syslog on many systems..)
-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110628/ef4657d1/attachment.htm>
More information about the Users
mailing list