[OpenSIPS-Users] Register attack!

Hung Nguyen hungbk546 at gmail.com
Wed Nov 3 03:56:53 CET 2010 

Thanks for reply,
It's OK. The best solution.

Best regards

On 11/3/10, Flavio Goncalves <flavio at asteriskguide.com> wrote:
> Hi,
>
> Register attacks are now an epidemy. In most cases they are using the
> friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
> block is to check the user agent for the words "friendly-scanner"and
> drop the packets (an attacker could easily change the user agent, but
> most of them are just script kiddies). There is a good tutorial in the
> opensips website on how to use fail2ban to block the IP address of the
> offenders (I think this is the best long term solution).
>
> http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010
> by the user named aseques)
>
> In some cases, when the attacker uses an old version of svcrack.py it
> floods your server. I have received four gigs of traffic in a single
> day from just one source. There is a small utility from sipvicious.org
> called svcrash.py capable to crash the attacker sending a malformed
> packet.
>
> I hope it helps, it has been a pain to handle these attacks everyday.
> In a normal day we are receiving from 4 to 8 attacks from different
> sources.
>
> Best regards,
>
> --------------------------------------------------
> Flavio E. Goncalves
> CEO - V.Office
> Fone: +554830258590/+554884085000
> OpenSIPS Bootcamp (Frankfurt Sep 20-24)
>
>
>
>
> 2010/11/2 Hung Nguyen <hungbk546 at gmail.com>:
>> Hi every body!
>>
>> I have a problem with attacker as following:
>>
>>
>> attack                   registrar
>>
>> register  ------------->
>> register  ------------->
>> ...
>> register  ------------->
>>
>>
>> Attacker send 200 registers/second so registrar server is error. This
>> is configuration for register method:
>>
>> route[2] {
>>
>>  # ----------------------------------------------------------
>>  # REGISTER Message Handler
>>  # ----------------------------------------------------------
>>
>>  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {
>>    setflag(6);
>>    fix_nated_register();
>>    fix_nated_contact();
>>    force_rport();
>>  };
>>
>>  if (!radius_www_authorize("abc.com")) {
>>    www_challenge("abc.com", "0");
>>    exit;
>>  };
>>  consume_credentials();
>>
>>  if (!save("location")) {
>>    sl_reply_error();
>>  };
>> }
>>
>> Please help me,
>>
>> Thanks.
>>
>> Hung
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

More information about the Users mailing list