<div><br></div><div><div class="gmail_quote">On Tue, Jun 28, 2011 at 4:55 PM, Mike Tesliuk <span dir="ltr"><<a href="mailto:mike@ultra.net.br">mike@ultra.net.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hello, <br><div class="gmail_quote"><br><br>Im new to Opensips and im getting an attack that i can read the ip just on the first register, the attacker are sending my own ip on the sip package<br><br></div></blockquote><div>
<br></div><div>Welcome to the community!! :) Sorry for the doom and gloom reply....</div><div><br></div>This is a sipvicious attack. It's a very aggressive type of brute force attack. Fail2ban is a great intrusion detection system. Google it...<div>
<br></div><div>Quick word of advice. These attacks are brutal and very effective. If you put a SIP server on the internet, it's just a matter of time before you see this attack. Once they break into your box, they'll stick you on a call center calling cellphones in Neru which will probably cost you a few dollars USD per minute. It only takes an hour or so to rack up several thousand dollars of phone bills. So take it seriously.. I'm *not* exaggerating.</div>
<div><br></div><div>Alternatively, if you are comfortable with checking UA, I'd just drop the packet rather than put in CPU cycles and reply:</div><div> if($ua=~"friendly-scanner"){<br> drop();<br>
}<br><br></div><div>These guys will hit your server with a few hundred CPS (I've seen 300CPS before from this). So don't let your server get wrapped up in replying to it. Especially don't log each attempt. FWIW, normal syslog writes are fairly expensive. Be sure to enable async logging in syslog (stick a "-" before the log file name and restart syslog on many systems..)</div>
<div><br></div><div>-Brett</div><div><br></div><div> </div></div></div>