[OpenSIPS-Users] Attack with UA: firendly-scanner

Mike Tesliuk mike at ultra.net.br
Wed Jun 29 00:47:16 CEST 2011


Ok, was a begginer mistake, thanks for you reply


now i get the message with the ip of the attacker and i can block him


Jun 28 19:29:00 ser1-vm /sbin/opensips[20887]: Auth error for
gabriell at XXX.XXX.XXX.XXX from XXX.XXX.XXX.XXX cause 0
Jun 28 19:29:00 ser1-vm /sbin/opensips[20887]: FRIENDLY-SCANNER: UA:
friendly-scanner From_TAG: <null> From_URI:
sip:gabriell at XXX.XXX.XXX.XXXReceived IP: XXX.XXX.XXX.XXX IP Source:
60.171.75.147


Thanks for the reply




2011/6/28 Ovidiu Sas <osas at voipembedded.com>

> Put an exit after sl_send_reply().  You are looping the REGISTER
> through your server.
> Or just don't even bother sending a reply back, just exit.
>
> Regards,
> Ovidiu Sas
>
> On Tue, Jun 28, 2011 at 5:55 PM, Mike Tesliuk <mike at ultra.net.br> wrote:
> > Hello,
> >
> >
> > Im new to Opensips and im getting an attack that i can read the ip just
> on
> > the first register, the attacker are sending my own ip on the sip package
> >
> >
> > on the begin of my main route i put the rule below
> >
> >
> >
> >         if($ua=~"friendly-scanner"){
> >                 xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause
> > $var(auth_code)");
> >                 xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI:
> $fu
> > Received IP: $Ri IP Source: $si");
> >                 sl_send_reply("403", "Access Denied");
> >         }
> >
> >
> > Small time later the attacker start the attack i get this message
> >
> >
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:
> failed
> > to allocate shmem buffer
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:
> Not
> > enough free memory, will atempt defragmenation
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no
> more
> > share memory
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:
> Not
> > enough free memory, will atempt defragmenation
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:
> failed
> > to allocate shmem buffer
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:
> Not
> > enough free memory, will atempt defragmenation
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no
> more
> > share memory
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:
> Not
> > enough free memory, will atempt defragmenation
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:
> failed
> > to allocate shmem buffer
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:
> Not
> > enough free memory, will atempt defragmenation
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no
> more
> > share memory
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc:
> Not
> > enough free memory, will atempt defragmenation
> > Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light:
> failed
> > to allocate shmem buffer
> >
> >
> >
> > i can get the log, but the ip that i show is my own, how can i block this
> > kind of attack ?
> >
> > Thanks
> >
> >
> > below you have the firs 3 packages that i can get on ngrep (the
> > XXX.XXX.XXX.XXX is my IP)
> >
> > U 2011/06/28 17:46:11.898262 60.171.75.147:5100 -> XXX.XXX.XXX.XXX:5060
> > REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
> > Via: SIP/2.0/UDP 127.0.0.1:5100;branch=z9hG4bK-693079904;rport.
> > Content-Length: 0.
> > From: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
> > Accept: application/sdp.
> > User-Agent: friendly-scanner.
> > To: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
> > Contact: sip:123 at 1.1.1.1.
> > CSeq: 1 REGISTER.
> > Call-ID: 1696826551.
> > Max-Forwards: 70.
> > .
> >
> > #
> > U 2011/06/28 17:46:11.899246 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
> > REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
> > Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
> > Via: SIP/2.0/UDP
> > 127.0.0.1:5100
> ;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
> > Content-Length: 0.
> > From: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
> > Accept: application/sdp.
> > User-Agent: friendly-scanner.
> > To: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
> > Contact: sip:123 at 1.1.1.1.
> > CSeq: 1 REGISTER.
> > Call-ID: 1696826551.
> > Max-Forwards: 69.
> > P-hint: outbound.
> >
> >
> > #
> > U 2011/06/28 17:46:11.899388 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
> > REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
> > Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.8864db01.0.
> > Via: SIP/2.0/UDP
> >
> XXX.XXX.XXX.XXX;rport=5060;received=XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
> > Via: SIP/2.0/UDP
> > 127.0.0.1:5100
> ;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
> > Content-Length: 0.
> > From: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
> > Accept: application/sdp.
> > User-Agent: friendly-scanner.
> > To: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
> > Contact: sip:123 at 1.1.1.1.
> > CSeq: 1 REGISTER.
> > Call-ID: 1696826551.
> > Max-Forwards: 68.
> > P-hint: outbound.
> > P-hint: outbound.
> > .
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> >
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110628/b40f7f06/attachment.htm>


More information about the Users mailing list