[OpenSIPS-Users] Attack with UA: firendly-scanner
Mike Tesliuk
mike at ultra.net.br
Tue Jun 28 23:55:35 CEST 2011
Hello,
Im new to Opensips and im getting an attack that i can read the ip just on
the first register, the attacker are sending my own ip on the sip package
on the begin of my main route i put the rule below
if($ua=~"friendly-scanner"){
xlog("L_NOTICE","Auth error for $fU@$fd from $Ri cause
$var(auth_code)");
xlog("FRIENDLY-SCANNER: UA: $ua From_TAG: $ft From_URI: $fu
Received IP: $Ri IP Source: $si");
sl_send_reply("403", "Access Denied");
}
Small time later the attacker start the attack i get this message
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed
to allocate shmem buffer
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not
enough free memory, will atempt defragmenation
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more
share memory
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not
enough free memory, will atempt defragmenation
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed
to allocate shmem buffer
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not
enough free memory, will atempt defragmenation
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more
share memory
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not
enough free memory, will atempt defragmenation
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed
to allocate shmem buffer
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not
enough free memory, will atempt defragmenation
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:relay_reply: no more
share memory
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: WARNING:core:fm_malloc: Not
enough free memory, will atempt defragmenation
Jun 28 18:31:06 ser1-vm /sbin/opensips[19848]: ERROR:tm:_reply_light: failed
to allocate shmem buffer
i can get the log, but the ip that i show is my own, how can i block this
kind of attack ?
Thanks
below you have the firs 3 packages that i can get on ngrep (the
XXX.XXX.XXX.XXX is my IP)
U 2011/06/28 17:46:11.898262 60.171.75.147:5100 -> XXX.XXX.XXX.XXX:5060
REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
Via: SIP/2.0/UDP 127.0.0.1:5100;branch=z9hG4bK-693079904;rport.
Content-Length: 0.
From: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
Accept: application/sdp.
User-Agent: friendly-scanner.
To: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
Contact: sip:123 at 1.1.1.1.
CSeq: 1 REGISTER.
Call-ID: 1696826551.
Max-Forwards: 70.
.
#
U 2011/06/28 17:46:11.899246 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
Via: SIP/2.0/UDP 127.0.0.1:5100
;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
Content-Length: 0.
From: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
Accept: application/sdp.
User-Agent: friendly-scanner.
To: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
Contact: sip:123 at 1.1.1.1.
CSeq: 1 REGISTER.
Call-ID: 1696826551.
Max-Forwards: 69.
P-hint: outbound.
#
U 2011/06/28 17:46:11.899388 XXX.XXX.XXX.XXX:5060 -> XXX.XXX.XXX.XXX:5060
REGISTER sip:XXX.XXX.XXX.XXX SIP/2.0.
Via: SIP/2.0/UDP XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.8864db01.0.
Via: SIP/2.0/UDP
XXX.XXX.XXX.XXX;rport=5060;received=XXX.XXX.XXX.XXX;branch=z9hG4bKe9e1.7864db01.0.
Via: SIP/2.0/UDP 127.0.0.1:5100
;received=60.171.75.147;branch=z9hG4bK-693079904;rport=5100.
Content-Length: 0.
From: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
Accept: application/sdp.
User-Agent: friendly-scanner.
To: "6362" <sip:6362 at XXX.XXX.XXX.XXX>.
Contact: sip:123 at 1.1.1.1.
CSeq: 1 REGISTER.
Call-ID: 1696826551.
Max-Forwards: 68.
P-hint: outbound.
P-hint: outbound.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110628/b5a95e37/attachment.htm>
More information about the Users
mailing list