[OpenSIPS-Users] Attack with UA: firendly-scanner

duane.larson at gmail.com duane.larson at gmail.com
Wed Jun 29 00:05:44 CEST 2011


I wouldn't even reply back with a "403 - Access Denied". If you do that  
then you just told whoever that you exist and you are SIP

if($ua=~"friendly-scanner"){
xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause $var(auth_code)");
xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu Received IP:  
$Ri IP Source: $si");
exit;
}



On Jun 28, 2011 4:55pm, Mike Tesliuk <mike at ultra.net.br> wrote:
> Hello,


> Im new to Opensips and im getting an attack that i can read the ip just  
> on the first register, the attacker are sending my own ip on the sip  
> package


> on the begin of my main route i put the rule below







> if($ua=~"friendly-scanner"){
> xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause $var(auth_code)");
> xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu Received IP:  
> $Ri IP Source: $si");




> sl_send_reply("403", "Access Denied");
> }


> Small time later the attacker start the attack i get this message


> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:  
> failed to allocate shmem buffer




> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:  
> Not enough free memory, will atempt defragmenation
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no  
> more share memory
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:  
> Not enough free memory, will atempt defragmenation




> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:  
> failed to allocate shmem buffer
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:  
> Not enough free memory, will atempt defragmenation




> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no  
> more share memory
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:  
> Not enough free memory, will atempt defragmenation
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:  
> failed to allocate shmem buffer




> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:  
> Not enough free memory, will atempt defragmenation
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no  
> more share memory
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:  
> Not enough free memory, will atempt defragmenation




> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:  
> failed to allocate shmem buffer



> i can get the log, but the ip that i show is my own, how can i block this  
> kind of attack ?

> Thanks






> below you have the firs 3 packages that i can get on ngrep (the  
> XXX.XXX.XXX.XXX is my IP)

> U 2011/06/28 17:46:11.898262 60.171.75.147:5100 -> XXX.XXX.XXX.XXX:5060




> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
> Via: SIP/2.0/UDP 127.0.0.1:5100;branch=z9hG4bK-693079904;rport.
> Content-Length: 0.
> From: "6362" .
> Accept: application/sdp.
> User-Agent: friendly-scanner.




> To: "6362" .
> Contact: sip:123 at 1.1.1.1.
> CSeq: 1 REGISTER.
> Call-ID: 1696826551.
> Max-Forwards: 70.
> .

> #


> U 2011/06/28 17:46:11.899246 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060


> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
> Via: SIP/2.0/UDP  
> 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
> Content-Length: 0.




> From: "6362" .
> Accept: application/sdp.
> User-Agent: friendly-scanner.
> To: "6362" .
> Contact: sip:123 at 1.1.1.1.




> CSeq: 1 REGISTER.
> Call-ID: 1696826551.
> Max-Forwards: 69.
> P-hint: outbound.


> #
> U 2011/06/28 17:46:11.899388 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.




> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.8864db01.0.
> Via: SIP/2.0/UDP  
> XXX.XXX.XXX.XXX;rport=5060;received=XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
> Via: SIP/2.0/UDP  
> 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.




> Content-Length: 0.
> From: "6362" .
> Accept: application/sdp.
> User-Agent: friendly-scanner.
> To: "6362" .
> Contact: sip:123 at 1.1.1.1.




> CSeq: 1 REGISTER.
> Call-ID: 1696826551.
> Max-Forwards: 68.
> P-hint: outbound.
> P-hint: outbound.
> .








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110628/19f56b6b/attachment-0001.htm>


More information about the Users mailing list