<br><div class="gmail_quote">Ok, was a begginer mistake, thanks for you reply<br><br><br>now i get the message with the ip of the attacker and i can block him<br><br><br>Jun 28 19:29:00 ser1-vm /sbin/opensips[20887]: Auth error for gabriell@XXX.XXX.XXX.XXX from XXX.XXX.XXX.XXX cause 0<br>
Jun 28 19:29:00 ser1-vm /sbin/opensips[20887]: FRIENDLY-SCANNER: UA: friendly-scanner From_TAG: <null> From_URI: sip:gabriell@XXX.XXX.XXX.XXX Received IP: XXX.XXX.XXX.XXX IP Source: 60.171.75.147<br><br><br>Thanks for the reply<div>
<div></div><div class="h5"><br>
<br><br><br><div class="gmail_quote">2011/6/28 Ovidiu Sas <span dir="ltr"><<a href="mailto:osas@voipembedded.com" target="_blank">osas@voipembedded.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Put an exit after sl_send_reply(). You are looping the REGISTER<br>
through your server.<br>
Or just don't even bother sending a reply back, just exit.<br>
<br>
Regards,<br>
Ovidiu Sas<br>
<div><div></div><div><br>
On Tue, Jun 28, 2011 at 5:55 PM, Mike Tesliuk <<a href="mailto:mike@ultra.net.br" target="_blank">mike@ultra.net.br</a>> wrote:<br>
> Hello,<br>
><br>
><br>
> Im new to Opensips and im getting an attack that i can read the ip just on<br>
> the first register, the attacker are sending my own ip on the sip package<br>
><br>
><br>
> on the begin of my main route i put the rule below<br>
><br>
><br>
><br>
> if($ua=~"friendly-scanner"){<br>
> xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause<br>
> $var(auth_code)");<br>
> xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu<br>
> Received IP: $Ri IP Source: $si");<br>
> sl_send_reply("403", "Access Denied");<br>
> }<br>
><br>
><br>
> Small time later the attacker start the attack i get this message<br>
><br>
><br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed<br>
> to allocate shmem buffer<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not<br>
> enough free memory, will atempt defragmenation<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more<br>
> share memory<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not<br>
> enough free memory, will atempt defragmenation<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed<br>
> to allocate shmem buffer<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not<br>
> enough free memory, will atempt defragmenation<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more<br>
> share memory<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not<br>
> enough free memory, will atempt defragmenation<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed<br>
> to allocate shmem buffer<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not<br>
> enough free memory, will atempt defragmenation<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more<br>
> share memory<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not<br>
> enough free memory, will atempt defragmenation<br>
> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed<br>
> to allocate shmem buffer<br>
><br>
><br>
><br>
> i can get the log, but the ip that i show is my own, how can i block this<br>
> kind of attack ?<br>
><br>
> Thanks<br>
><br>
><br>
> below you have the firs 3 packages that i can get on ngrep (the<br>
> XXX.XXX.XXX.XXX is my IP)<br>
><br>
> U 2011/06/28 17:46:11.898262 <a href="http://60.171.75.147:5100" target="_blank">60.171.75.147:5100</a> -> XXX.XXX.XXX.XXX:5060<br>
> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.<br>
> Via: SIP/2.0/UDP 127.0.0.1:5100;branch=z9hG4bK-693079904;rport.<br>
> Content-Length: 0.<br>
> From: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>
> Accept: application/sdp.<br>
> User-Agent: friendly-scanner.<br>
> To: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>
> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.<br>
> CSeq: 1 REGISTER.<br>
> Call-ID: 1696826551.<br>
> Max-Forwards: 70.<br>
> .<br>
><br>
> #<br>
> U 2011/06/28 17:46:11.899246 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060<br>
> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.<br>
> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.<br>
> Via: SIP/2.0/UDP<br>
> 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.<br>
> Content-Length: 0.<br>
> From: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>
> Accept: application/sdp.<br>
> User-Agent: friendly-scanner.<br>
> To: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>
> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.<br>
> CSeq: 1 REGISTER.<br>
> Call-ID: 1696826551.<br>
> Max-Forwards: 69.<br>
> P-hint: outbound.<br>
><br>
><br>
> #<br>
> U 2011/06/28 17:46:11.899388 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060<br>
> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.<br>
> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.8864db01.0.<br>
> Via: SIP/2.0/UDP<br>
> XXX.XXX.XXX.XXX;rport=5060;received=XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.<br>
> Via: SIP/2.0/UDP<br>
> 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.<br>
> Content-Length: 0.<br>
> From: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>
> Accept: application/sdp.<br>
> User-Agent: friendly-scanner.<br>
> To: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>
> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.<br>
> CSeq: 1 REGISTER.<br>
> Call-ID: 1696826551.<br>
> Max-Forwards: 68.<br>
> P-hint: outbound.<br>
> P-hint: outbound.<br>
> .<br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div><br>
</div></div></div><br>