<br><div class="gmail_quote">i remove the reply, thanks .<br><br><div class="gmail_quote">2011/6/28 <span dir="ltr"><<a href="mailto:duane.larson@gmail.com" target="_blank">duane.larson@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div class="h5">
I wouldn't even reply back with a "403 - Access Denied". If you do that then you just told whoever that you exist and you are SIP
<br><div>
<br> if($ua=~"friendly-scanner"){
<br> xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause $var(auth_code)");
<br> xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu Received IP: $Ri IP Source: $si");
<br></div> exit;
<br><div> }
<br>
<br>
<br>
<br>On Jun 28, 2011 4:55pm, Mike Tesliuk <<a href="mailto:mike@ultra.net.br" target="_blank">mike@ultra.net.br</a>> wrote:
<br>> Hello,
<br>>
<br>>
<br>> Im new to Opensips and im getting an attack that i can read the ip just on the first register, the attacker are sending my own ip on the sip package
<br>>
<br>>
<br></div><div><div></div><div>> on the begin of my main route i put the rule below
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>> if($ua=~"friendly-scanner"){
<br>> xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause $var(auth_code)");
<br>> xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu Received IP: $Ri IP Source: $si");
<br>>
<br>>
<br>>
<br>>
<br>> sl_send_reply("403", "Access Denied");
<br>> }
<br>>
<br>>
<br>> Small time later the attacker start the attack i get this message
<br>>
<br>>
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer
<br>>
<br>>
<br>>
<br>>
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more share memory
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation
<br>>
<br>>
<br>>
<br>>
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation
<br>>
<br>>
<br>>
<br>>
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more share memory
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer
<br>>
<br>>
<br>>
<br>>
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more share memory
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not enough free memory, will atempt defragmenation
<br>>
<br>>
<br>>
<br>>
<br>> Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed to allocate shmem buffer
<br>>
<br>>
<br>>
<br>> i can get the log, but the ip that i show is my own, how can i block this kind of attack ?
<br>>
<br>> Thanks
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>> below you have the firs 3 packages that i can get on ngrep (the XXX.XXX.XXX.XXX is my IP)
<br>>
<br>> U 2011/06/28 17:46:11.898262 <a href="http://60.171.75.147:5100" target="_blank">60.171.75.147:5100</a> -> XXX.XXX.XXX.XXX:5060
<br>>
<br>>
<br>>
<br>>
<br>> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
<br>> Via: SIP/2.0/UDP 127.0.0.1:5100;branch=z9hG4bK-693079904;rport.
<br>> Content-Length: 0.
<br></div></div>> From: "6362" .
<br><div>> Accept: application/sdp.
<br>> User-Agent: friendly-scanner.
<br>>
<br>>
<br>>
<br>>
<br></div>> To: "6362" .
<br><div>> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.
<br>> CSeq: 1 REGISTER.
<br>> Call-ID: 1696826551.
<br>> Max-Forwards: 70.
<br>> .
<br>>
<br>> #
<br>>
<br>>
<br>> U 2011/06/28 17:46:11.899246 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
<br>>
<br>>
<br>> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
<br>> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
<br>> Via: SIP/2.0/UDP 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
<br>> Content-Length: 0.
<br>>
<br>>
<br>>
<br>>
<br></div>> From: "6362" .
<br><div>> Accept: application/sdp.
<br>> User-Agent: friendly-scanner.
<br></div>> To: "6362" .
<br><div>> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.
<br>>
<br>>
<br>>
<br>>
<br>> CSeq: 1 REGISTER.
<br>> Call-ID: 1696826551.
<br>> Max-Forwards: 69.
<br>> P-hint: outbound.
<br>>
<br>>
<br>> #
<br>> U 2011/06/28 17:46:11.899388 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
<br>> REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
<br>>
<br>>
<br>>
<br>>
<br>> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.8864db01.0.
<br>> Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;rport=5060;received=XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
<br>> Via: SIP/2.0/UDP 127.0.0.1:5100;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
<br>>
<br>>
<br>>
<br>>
<br>> Content-Length: 0.
<br></div>> From: "6362" .
<br><div>> Accept: application/sdp.
<br>> User-Agent: friendly-scanner.
<br></div>> To: "6362" .
<br><div><div></div><div>> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>.
<br>>
<br>>
<br>>
<br>>
<br>> CSeq: 1 REGISTER.
<br>> Call-ID: 1696826551.
<br>> Max-Forwards: 68.
<br>> P-hint: outbound.
<br>> P-hint: outbound.
<br>> .
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>></div></div><br></div></div><div class="im">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></div></blockquote></div><br>
</div><br>