[OpenSIPS-Users] Attack with UA: firendly-scanner

Mike Tesliuk mike at ultra.net.br
Wed Jun 29 00:47:44 CEST 2011


2011/6/28 Brett Nemeroff <brett at nemeroff.com>

>
> On Tue, Jun 28, 2011 at 4:55 PM, Mike Tesliuk <mike at ultra.net.br> wrote:
>
>> Hello,
>>
>>
>> Im new to Opensips and im getting an attack that i can read the ip just on
>> the first register, the attacker are sending my own ip on the sip package
>>
>>
> Welcome to the community!! :) Sorry for the doom and gloom reply....
>
> This is a sipvicious attack. It's a very aggressive type of brute force
> attack. Fail2ban is a great intrusion detection system. Google it...
>
>
yeah i have fail2ban implemented , but how im on a loop my rules are not
working, now i will correct everything



> Quick word of advice. These attacks are brutal and very effective. If you
> put a SIP server on the internet, it's just a matter of time before you see
> this attack. Once they break into your box, they'll stick you on a call
> center calling cellphones in Neru which will probably cost you a few dollars
> USD per minute. It only takes an hour or so to rack up several thousand
> dollars of phone bills. So take it seriously.. I'm *not* exaggerating.
>
>
Yeas i now, im comming from the asterisk world , i have some experiencie
with some kind of problems, thanks for the advice



> Alternatively, if you are comfortable with checking UA, I'd just drop the
> packet rather than put in CPU cycles and reply:
>         if($ua=~"friendly-scanner"){
>               drop();
>         }
>
>

> These guys will hit your server with a few hundred CPS (I've seen 300CPS
> before from this). So don't let your server get wrapped up in replying to
> it. Especially don't log each attempt. FWIW, normal syslog writes are fairly
> expensive. Be sure to enable async logging in syslog (stick a "-" before the
> log file name and restart syslog on many systems..)
>

Ok i will do this, thanks


>
> -Brett
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110628/56fbfa00/attachment.htm>


More information about the Users mailing list