<html><body bgcolor="#FFFFFF"><div>Kennard,</div><div>I personally write a log entry each time i get a REGISTER failure. Then use fail2ban on top of that log. Pike could probably also be used.</div><div><br></div><div>-Brett</div>
<div><br><br>On Nov 2, 2010, at 10:30 PM, Kennard White <<a href="mailto:kennard_white@logitech.com">kennard_white@logitech.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>Hi Flavio,<br><br>How did you originally detect these register attacks? Are you using the pike module or notice them some other way?<br>
<br>Thanks,<br>Kennard<br><br><div class="gmail_quote">On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves <span dir="ltr"><<a href="mailto:flavio@asteriskguide.com"><a href="mailto:flavio@asteriskguide.com">flavio@asteriskguide.com</a></a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi,<br>
<br>
Register attacks are now an epidemy. In most cases they are using the<br>
friendly-scanner (svcrack.py) from <a href="http://sipvicious.org" target="_blank"><a href="http://sipvicious.org">sipvicious.org</a></a>. One easy way to<br>
block is to check the user agent for the words "friendly-scanner"and<br>
drop the packets (an attacker could easily change the user agent, but<br>
most of them are just script kiddies). There is a good tutorial in the<br>
opensips website on how to use fail2ban to block the IP address of the<br>
offenders (I think this is the best long term solution).<br>
<br>
<a href="http://www.opensips.org/Resources/DocsTutFail2ban" target="_blank"><a href="http://www.opensips.org/Resources/DocsTutFail2ban">http://www.opensips.org/Resources/DocsTutFail2ban</a></a> (posted in sept/2010<br>
by the user named aseques)<br>
<br>
In some cases, when the attacker uses an old version of svcrack.py it<br>
floods your server. I have received four gigs of traffic in a single<br>
day from just one source. There is a small utility from <a href="http://sipvicious.org" target="_blank"><a href="http://sipvicious.org">sipvicious.org</a></a><br>
called svcrash.py capable to crash the attacker sending a malformed<br>
packet.<br>
<br>
I hope it helps, it has been a pain to handle these attacks everyday.<br>
In a normal day we are receiving from 4 to 8 attacks from different<br>
sources.<br>
<br>
Best regards,<br>
<br>
--------------------------------------------------<br>
Flavio E. Goncalves<br>
CEO - V.Office<br>
Fone: +554830258590/+554884085000<br>
OpenSIPS Bootcamp (Frankfurt Sep 20-24)<br>
<br>
<br>
<br>
<br>
2010/11/2 Hung Nguyen <<a href="mailto:hungbk546@gmail.com"><a href="mailto:hungbk546@gmail.com">hungbk546@gmail.com</a></a>>:<br>
<div><div></div><div class="h5">> Hi every body!<br>
><br>
> I have a problem with attacker as following:<br>
><br>
><br>
> attack registrar<br>
><br>
> register -------------><br>
> register -------------><br>
> ...<br>
> register -------------><br>
><br>
><br>
> Attacker send 200 registers/second so registrar server is error. This<br>
> is configuration for register method:<br>
><br>
> route[2] {<br>
><br>
> # ----------------------------------------------------------<br>
> # REGISTER Message Handler<br>
> # ----------------------------------------------------------<br>
><br>
> if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {<br>
> setflag(6);<br>
> fix_nated_register();<br>
> fix_nated_contact();<br>
> force_rport();<br>
> };<br>
><br>
> if (!radius_www_authorize("<a href="http://abc.com" target="_blank"><a href="http://abc.com">abc.com</a></a>")) {<br>
> www_challenge("<a href="http://abc.com" target="_blank"><a href="http://abc.com">abc.com</a></a>", "0");<br>
> exit;<br>
> };<br>
> consume_credentials();<br>
><br>
> if (!save("location")) {<br>
> sl_reply_error();<br>
> };<br>
> }<br>
><br>
> Please help me,<br>
><br>
> Thanks.<br>
><br>
> Hung<br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org"><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a></a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank"><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></a><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a></a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank"><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></a><br>
</div></div></blockquote></div><br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a></span><br>
<span><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></span><br></div></blockquote></body></html>