[OpenSIPS-Users] attack from friendly-scanner

Brett Nemeroff brett at nemeroff.com
Mon Oct 8 15:31:29 CEST 2012


First of all,
This is an attack from sipvicious. It is an *attack*. It will be very high
rate (cps) and you do *not* want to use anything that consumes resources to
attempt to block it.

First recommendation is to use iptables. In addition, you *should* put a
check in your config for friendly-scanner and drop() the packet. Do not
reply with a sip code. You want to be invisible to the attacker. If you
reply with a sip code, they'll just scan you attempting to find a request
combination that will return a usable result.

1. Do whatever you can to not use CPU resources to block this
2. Don't look like a SIP server to source IPs you do not recognize

I guarantee, if you look like a SIP server, you will get brutally attacked
from unsolicited sources.

Read up on the fail2ban docs for asterisk. They have some good ideas in
there on how to perform intrusion detection and how to automatically add
offending traffic to fail2ban. You can do something similar in OpenSIPs.

I would be very curious to hear about other people's experiences using the
Pike module to block this type of traffic. For what it's worth, I've seen
attack traffic high enough in bandwidth to saturate a pretty beefy internet
connection and I've even seen it crash routers. If you can avoid them
finding you in the first place, that would be a much better option.
-Brett


On Mon, Oct 8, 2012 at 7:53 AM, Engineer voip <forvoip4 at gmail.com> wrote:

> Hi,
> I'm trying to use pike module and i'm using the script above, but when i
> execute this command " opensipsctl fifo pike_list"
> i don't get any address blocked
> My opensips config is:
>
> loadmodule "pike.so"
> modparam("pike", "sampling_time_unit", 10)
> modparam("pike", "reqs_density_per_unit", 30)
> modparam("pike", "remove_latency", 120)
> modparam("pike", "check_route","pike") # enable automatic checking
> modparam("pike", "pike_log_level",1)
>
> route[pike]
> {
>  if (src_ip==x.x.x.x ||src_ip==gw_ip) # Trusted IP
>   xlog("L_INFO", "in pike route ");
>   drop();
> }
>
> have you an idea please toresolve that?
>
> 2012/10/8 SamyGo <govoiper at gmail.com>
>
>> Hi,
>> Relax it says its Friendly !!
>>
>> But still if you want to block it you've many options i.e in opensips.cfg
>> start put a condition $ua =~ "friendly-scanner".  If matched return
>> stateless some error.
>> Other option is to use pike module.
>> Another option is use fail2ban for opensips logs.
>> More sophisticated options involve firewalls with IPS and IDS modules.
>>
>> I hope it was helpful.
>>
>> BR
>> Sammy
>>  On Oct 8, 2012 2:33 PM, "Engineer voip" <forvoip4 at gmail.com> wrote:
>>
>>> Hi All,
>>> I receveid several packets of registration from a  "friendly-scanner"
>>> on my opensips server
>>> how can i do to block that please??
>>>
>>> --
>>>
>>> Best Regards.
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>
> --
>
> Best Regards.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20121008/7f32c0fb/attachment.htm>


More information about the Users mailing list