[OpenSIPS-Users] attack from friendly-scanner
Engineer voip
forvoip4 at gmail.com
Tue Oct 9 11:27:52 CEST 2012
Hi All,
thank you for your reply, Know i want to simulate an attacker to test if my
fail2ban and pike module works good.
someone has an idea to do that?
2012/10/9 SamyGo <govoiper at gmail.com>
> Hi,
>
> Very nice suggestions by Brett. I remember there are regular thread like
> these on the mailing lists and people share a lot of experiences. AFAIR
> there was some service which contains the IP addresses of known attackers
> available for users. OP needs to do some searching in this regard to
> collect more ideas.
>
> * Nothing is _NOT_ CPU cycles free *
>
> I'm not sure about sip vicious but if I were to detect and hack a SIP
> server I'd first start by sending OPTIONS on its ports. Mostly that's where
> things kick off. Changing the user-agent field is nothing big, so question
> is how do you know a hacker is about to get angry !!
>
> I'd say it needs a time populated repository and a well crafted shell
> script to maintain the list of Hacker IPs captured in the past and use it
> across all the servers or devices. Let me explain the idea.
>
> * ii)* - For any incoming packets one needs to look-up the hacker's
> listing and detect if a known hacker or not.
> *i)* - Take fail2ban for example, or pike module , or iptables rate
> limit mechanism to initially detect a new born hacker trying to access your
> sip server (yes will take few minutes to finally conclude that a particular
> source IP is hacker) - Store that IP in your hacker's listing.
> *iii)* - Use an intelligent script to share the detected hacker's IP
> across all the other SIP servers and router devices/firewall to block the
> traffic at network layer.
>
> *Critical Exceptions:*
> Always ensure that the IP which is going to get blocked across the whole
> network perimeter is not your own server or within the same subnet as
> your's. It shouldn't be localhost as well.(Hint: IP spoofing)
>
> *Focus on Security rather Friendly-scanner:*
> *
> *
> One need to secure each and everything when it comes to security, just one
> layer security i.e fail2ban or iptables or pike module is never enough.
> Like Brett said you can drop packets once detected a "very friendly
> scanner", how about a customer who wants to toy with your service ! how
> about a massive DoS attack !! drop() won't help alone. iptables needs to be
> there to stop the packets from even reaching the SIP server app, then again
> why should the server's NIC be chocked up by that massive DoS ! your
> firewall or networking device should stop the packets from entering the
> network !
>
> This is just not enough: How about a different unique new tool which sends
> malicious or malformed SIP packets to crash the server !! its just one
> packet but malformed -- all the above measures WILL fail !! Obviously needs
> to go one step ahead and use SNORT or anything like IDS+IPS to verify that
> the packet going through the network is not malformed.
>
> Thats pretty much it for now. There are things which I've forgotten to
> write at the moment OR might not even know which I expect some one else may
> like to add.
>
> Networks and Data Security is a huge field, and VoIP security alone has
> hundreds of book on the topic.
>
> *Interesting threads to read: *
> *
> *
> http://lists.opensips.org/pipermail/users/2010-November/015243.html
> http://lists.opensips.org/pipermail/users/2011-June/018271.html
> Read: http://blog.sipvicious.org/ to know more about the tool we all face
> every once a while.
> Fail2ban for openSIPS :: http://www.opensips.org/Resources/DocsTutFail2ban
>
>
> --
> Best Regards
> Sammy
>
>
>
>
>
>
>
>
> On Mon, Oct 8, 2012 at 6:31 PM, Brett Nemeroff <brett at nemeroff.com> wrote:
>
>> First of all,
>> This is an attack from sipvicious. It is an *attack*. It will be very
>> high rate (cps) and you do *not* want to use anything that consumes
>> resources to attempt to block it.
>>
>> First recommendation is to use iptables. In addition, you *should* put a
>> check in your config for friendly-scanner and drop() the packet. Do not
>> reply with a sip code. You want to be invisible to the attacker. If you
>> reply with a sip code, they'll just scan you attempting to find a request
>> combination that will return a usable result.
>>
>> 1. Do whatever you can to not use CPU resources to block this
>> 2. Don't look like a SIP server to source IPs you do not recognize
>>
>> I guarantee, if you look like a SIP server, you will get brutally
>> attacked from unsolicited sources.
>>
>> Read up on the fail2ban docs for asterisk. They have some good ideas in
>> there on how to perform intrusion detection and how to automatically add
>> offending traffic to fail2ban. You can do something similar in OpenSIPs.
>>
>> I would be very curious to hear about other people's experiences using
>> the Pike module to block this type of traffic. For what it's worth, I've
>> seen attack traffic high enough in bandwidth to saturate a pretty beefy
>> internet connection and I've even seen it crash routers. If you can avoid
>> them finding you in the first place, that would be a much better option.
>> -Brett
>>
>>
>> On Mon, Oct 8, 2012 at 7:53 AM, Engineer voip <forvoip4 at gmail.com> wrote:
>>
>>> Hi,
>>> I'm trying to use pike module and i'm using the script above, but when i
>>> execute this command " opensipsctl fifo pike_list"
>>> i don't get any address blocked
>>> My opensips config is:
>>>
>>> loadmodule "pike.so"
>>> modparam("pike", "sampling_time_unit", 10)
>>> modparam("pike", "reqs_density_per_unit", 30)
>>> modparam("pike", "remove_latency", 120)
>>> modparam("pike", "check_route","pike") # enable automatic checking
>>> modparam("pike", "pike_log_level",1)
>>>
>>> route[pike]
>>> {
>>> if (src_ip==x.x.x.x ||src_ip==gw_ip) # Trusted IP
>>> xlog("L_INFO", "in pike route ");
>>> drop();
>>> }
>>>
>>> have you an idea please toresolve that?
>>>
>>> 2012/10/8 SamyGo <govoiper at gmail.com>
>>>
>>>> Hi,
>>>> Relax it says its Friendly !!
>>>>
>>>> But still if you want to block it you've many options i.e in
>>>> opensips.cfg start put a condition $ua =~ "friendly-scanner". If matched
>>>> return stateless some error.
>>>> Other option is to use pike module.
>>>> Another option is use fail2ban for opensips logs.
>>>> More sophisticated options involve firewalls with IPS and IDS modules.
>>>>
>>>> I hope it was helpful.
>>>>
>>>> BR
>>>> Sammy
>>>> On Oct 8, 2012 2:33 PM, "Engineer voip" <forvoip4 at gmail.com> wrote:
>>>>
>>>>> Hi All,
>>>>> I receveid several packets of registration from a "friendly-scanner" on my opensips server
>>>>> how can i do to block that please??
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opensips.org
>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Best Regards.
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
--
Best Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20121009/e30f7ad3/attachment.htm>
More information about the Users
mailing list