I had the same problem with register attacks, almost crashed my server coz log files became too huge, a temporary solution is to change the port number from 5060 to something else as it seems the register scanners attack sip servers listening on the 5060 port. Adding fail2ban on top of this and blocking all registers which don't come from your servers adds another layer of security<br>
<br><div class="gmail_quote">On Wed, Nov 3, 2010 at 5:33 AM, Brett Nemeroff <span dir="ltr"><<a href="mailto:brett@nemeroff.com">brett@nemeroff.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF"><div>Kennard,</div><div>I personally write a log entry each time i get a REGISTER failure. Then use fail2ban on top of that log. Pike could probably also be used.</div><div><br></div><font color="#888888"><div>
-Brett</div></font><div><div></div><div class="h5">
<div><br><br>On Nov 2, 2010, at 10:30 PM, Kennard White <<a href="mailto:kennard_white@logitech.com" target="_blank">kennard_white@logitech.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>Hi Flavio,<br>
<br>How did you originally detect these register attacks? Are you using the pike module or notice them some other way?<br>
<br>Thanks,<br>Kennard<br><br><div class="gmail_quote">On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves <span dir="ltr"><<a href="mailto:flavio@asteriskguide.com" target="_blank"></a><a href="mailto:flavio@asteriskguide.com" target="_blank">flavio@asteriskguide.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">Hi,<br>
<br>
Register attacks are now an epidemy. In most cases they are using the<br>
friendly-scanner (svcrack.py) from <a href="http://sipvicious.org" target="_blank"></a><a href="http://sipvicious.org" target="_blank">sipvicious.org</a>. One easy way to<br>
block is to check the user agent for the words "friendly-scanner"and<br>
drop the packets (an attacker could easily change the user agent, but<br>
most of them are just script kiddies). There is a good tutorial in the<br>
opensips website on how to use fail2ban to block the IP address of the<br>
offenders (I think this is the best long term solution).<br>
<br>
<a href="http://www.opensips.org/Resources/DocsTutFail2ban" target="_blank"></a><a href="http://www.opensips.org/Resources/DocsTutFail2ban" target="_blank">http://www.opensips.org/Resources/DocsTutFail2ban</a> (posted in sept/2010<br>
by the user named aseques)<br>
<br>
In some cases, when the attacker uses an old version of svcrack.py it<br>
floods your server. I have received four gigs of traffic in a single<br>
day from just one source. There is a small utility from <a href="http://sipvicious.org" target="_blank"></a><a href="http://sipvicious.org" target="_blank">sipvicious.org</a><br>
called svcrash.py capable to crash the attacker sending a malformed<br>
packet.<br>
<br>
I hope it helps, it has been a pain to handle these attacks everyday.<br>
In a normal day we are receiving from 4 to 8 attacks from different<br>
sources.<br>
<br>
Best regards,<br>
<br>
--------------------------------------------------<br>
Flavio E. Goncalves<br>
CEO - V.Office<br>
Fone: +554830258590/+554884085000<br>
OpenSIPS Bootcamp (Frankfurt Sep 20-24)<br>
<br>
<br>
<br>
<br>
2010/11/2 Hung Nguyen <<a href="mailto:hungbk546@gmail.com" target="_blank"></a><a href="mailto:hungbk546@gmail.com" target="_blank">hungbk546@gmail.com</a>>:<br>
<div><div></div><div>> Hi every body!<br>
><br>
> I have a problem with attacker as following:<br>
><br>
><br>
> attack registrar<br>
><br>
> register -------------><br>
> register -------------><br>
> ...<br>
> register -------------><br>
><br>
><br>
> Attacker send 200 registers/second so registrar server is error. This<br>
> is configuration for register method:<br>
><br>
> route[2] {<br>
><br>
> # ----------------------------------------------------------<br>
> # REGISTER Message Handler<br>
> # ----------------------------------------------------------<br>
><br>
> if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {<br>
> setflag(6);<br>
> fix_nated_register();<br>
> fix_nated_contact();<br>
> force_rport();<br>
> };<br>
><br>
> if (!radius_www_authorize("<a href="http://abc.com" target="_blank"></a><a href="http://abc.com" target="_blank">abc.com</a>")) {<br>
> www_challenge("<a href="http://abc.com" target="_blank"></a><a href="http://abc.com" target="_blank">abc.com</a>", "0");<br>
> exit;<br>
> };<br>
> consume_credentials();<br>
><br>
> if (!save("location")) {<br>
> sl_reply_error();<br>
> };<br>
> }<br>
><br>
> Please help me,<br>
><br>
> Thanks.<br>
><br>
> Hung<br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org" target="_blank"></a><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank"></a><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank"></a><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank"></a><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a></span><br>
<span><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></span><br></div></blockquote></div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br>