[OpenSIPS-Users] Attack with UA: firendly-scanner

Mike Tesliuk mike at ultra.net.br
Wed Jun 29 14:26:54 CEST 2011


At now im just log the connection and do a block with fail2ban.

2011/6/29 Brett Nemeroff <brett at nemeroff.com>

> On Jun 29, 2011, at 2:01 AM, Saúl Ibarra Corretgé <saul at ag-projects.com>
> wrote:
>
> >
> > On Jun 29, 2011, at 12:05 AM, duane.larson at gmail.com wrote:
> >
> >> I wouldn't even reply back with a "403 - Access Denied". If you do that
> then you just told whoever that you exist and you are SIP
> >>
> >
> > So? I would reply 200, so that it believes it has guessed right and will
> stop the flood. :-)
>
> Actually, I've seen this do bad things. Makes the hackers think they
> got something. It's better if you can just pretend to not be a SIP
> server. If you 200 they might think that they have an easy box to
> crack and jut need to keep trying extensions until they get one that
> works properly. Unless of course you are making a honeypot. That is,
> an extension that is easy to crack (or returns an immediate 200 when a
> friendly-scanner regs) and then inserts the source ip into your border
> router ACL automatically. Bu you can even honeypot it without
> returning 200 and you remain stealthy to them which I tend yo still
> believe is a better idea.
> -Brett
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110629/d0344e4b/attachment-0001.htm>


More information about the Users mailing list