Hello, <br><div class="gmail_quote"><br><br>Im new to Opensips and im getting an attack that i can read the ip just on the first register, the attacker are sending my own ip on the sip package<br><br><br>on the begin of my main route i put the rule below<br>
<br><br><br> if($ua=~"friendly-scanner"){<br> xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause $var(auth_code)");<br> xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu Received IP: $Ri IP Source: $si");<br>
sl_send_reply("403", "Access Denied");<br> }<br><br><br>Small time later the attacker start the attack i get this message<br><br><br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer<br>
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more share memory<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation<br>
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation<br>
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more share memory<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer<br>
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more share memory<br>Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation<br>
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer<br><br><br><br>i can get the log, but the ip that i show is my own, how can i block this kind of attack ? <br><br>Thanks<br>
<br><br>below you have the firs 3 packages that i can get on ngrep (the XXX.XXX.XXX.XXX is my IP)<br><br>U 2011/06/28 17:46:11.898262 <a href="http://60.171.75.147:5100" target="_blank">60.171.75.147:5100</a> -> XXX.XXX.XXX.XXX:5060<br>
REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.<br>Via: SIP/2.0/UDP 127.0.0.1:5100;branch=z9hG4bK-693079904;rport.<br>Content-Length: 0.<br>From: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>Accept: application/sdp.<br>User-Agent: friendly-scanner.<br>
To: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.<br>CSeq: 1 REGISTER.<br>Call-ID: 1696826551.<br>Max-Forwards: 70.<br>.<br><br>#<br>
U 2011/06/28 17:46:11.899246 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060<br>
REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.<br>Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.<br>Via: SIP/2.0/UDP 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.<br>Content-Length: 0.<br>
From: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>Accept: application/sdp.<br>User-Agent: friendly-scanner.<br>To: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.<br>
CSeq: 1 REGISTER.<br>Call-ID: 1696826551.<br>Max-Forwards: 69.<br>P-hint: outbound.<br><br><br>#<br>U 2011/06/28 17:46:11.899388 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060<br>REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.<br>
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.8864db01.0.<br>Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;rport=5060;received=XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.<br>Via: SIP/2.0/UDP 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.<br>
Content-Length: 0.<br>From: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>Accept: application/sdp.<br>User-Agent: friendly-scanner.<br>To: "6362" <sip:6362@XXX.XXX.XXX.XXX>.<br>Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.<br>
CSeq: 1 REGISTER.<br>Call-ID: 1696826551.<br>Max-Forwards: 68.<br>P-hint: outbound.<br>P-hint: outbound.<br>.<br><br>
</div><br>