[OpenSIPS-Users] Attack with UA: firendly-scanner

Brett Nemeroff brett at nemeroff.com
Wed Jun 29 14:16:01 CEST 2011


On Jun 29, 2011, at 2:01 AM, Saúl Ibarra Corretgé <saul at ag-projects.com> wrote:

>
> On Jun 29, 2011, at 12:05 AM, duane.larson at gmail.com wrote:
>
>> I wouldn't even reply back with a "403 - Access Denied". If you do that then you just told whoever that you exist and you are SIP
>>
>
> So? I would reply 200, so that it believes it has guessed right and will stop the flood. :-)

Actually, I've seen this do bad things. Makes the hackers think they
got something. It's better if you can just pretend to not be a SIP
server. If you 200 they might think that they have an easy box to
crack and jut need to keep trying extensions until they get one that
works properly. Unless of course you are making a honeypot. That is,
an extension that is easy to crack (or returns an immediate 200 when a
friendly-scanner regs) and then inserts the source ip into your border
router ACL automatically. Bu you can even honeypot it without
returning 200 and you remain stealthy to them which I tend yo still
believe is a better idea.
-Brett



More information about the Users mailing list