sean darcy
2017-Dec-30 23:49 UTC
[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??
I've been getting a lot of timeouts on non-critical invite transactions. I turned on sip debug. They were the result of SIP invites like this: Retransmitting #10 (NAT) to 185.107.94.10:13057: SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057 From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b Call-ID: 5YpLDUSIs6l3xbDXsurYTu.. CSeq: 1 INVITE Server: Asterisk PBX 13.19.0-rc1 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", nonce="14be1363" Content-Length: 0 --- WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 (Non-critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32000ms with no response WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on 5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction. Looking up the ip addresses : whois 185.107.94.10 ............. inetnum: 185.107.94.0 - 185.107.94.255 netname: NFORCE_ENTERTAINMENT descr: Serverhosting .................. organisation: ORG-NE3-RIPE org-name: NForce Entertainment B.V. org-type: LIR address: Postbus 1142 address: 4700BC address: Roosendaal address: NETHERLANDS phone: +31206919299 ................... whois 215.45.145.211 ................. NetRange: 215.0.0.0 - 215.255.255.255 CIDR: 215.0.0.0/8 NetName: DNIC-NET-215 NetHandle: NET-215-0-0-0-1 Parent: () NetType: Direct Assignment OriginAS: Organization: DoD Network Information Center (DNIC) RegDate: 1998-06-04 Updated: 2011-06-21 Ref: https://whois.arin.net/rest/net/NET-215-0-0-0-1 OrgName: DoD Network Information Center OrgId: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH So how is someone on a Dutch ISP using my server to mess with a US DoD ip address ?
Antony Stone
2017-Dec-31 01:10 UTC
[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??
On Sunday 31 December 2017 at 00:49:17, sean darcy wrote:> I've been getting a lot of timeouts on non-critical invite transactions.> So how is someone on a Dutch ISP using my server to mess with a US DoD > ip address ?What's your setting for "allowguest" (under [general]) in /etc/asterisk/sip.conf ? What are your firewall rules for UDP 5060? Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please *don't* CC me.
Dovid Bender
2017-Dec-31 01:18 UTC
[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??
Script kiddies trying to find vulnerable systems that they can make calls on. Lock down the box with iptables and use fail2ban to block them. The via is probably bogus unless a box at the DoD was comprimised. On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com> wrote:> I've been getting a lot of timeouts on non-critical invite transactions. I > turned on sip debug. They were the result of SIP invites like this: > > Retransmitting #10 (NAT) to 185.107.94.10:13057: > SIP/2.0 401 Unauthorized > Via: SIP/2.0/UDP 215.45.145.211:5060;branch=z9h > G4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057 > From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e > To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b > Call-ID: 5YpLDUSIs6l3xbDXsurYTu.. > CSeq: 1 INVITE > Server: Asterisk PBX 13.19.0-rc1 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, > PUBLISH, MESSAGE > Supported: replaces, timer > WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", > nonce="14be1363" > Content-Length: 0 > > --- > WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout > reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 (Non-critical > Response) -- See https://wiki.asterisk.org/wiki > /display/AST/SIP+Retransmissions > Packet timed out after 32000ms with no response > WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on > 5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction. > > Looking up the ip addresses : > > whois 185.107.94.10 > ............. > inetnum: 185.107.94.0 - 185.107.94.255 > netname: NFORCE_ENTERTAINMENT > descr: Serverhosting > .................. > organisation: ORG-NE3-RIPE > org-name: NForce Entertainment B.V. > org-type: LIR > address: Postbus 1142 > address: 4700BC > address: Roosendaal > address: NETHERLANDS > phone: +31206919299 > ................... > > whois 215.45.145.211 > ................. > NetRange: 215.0.0.0 - 215.255.255.255 > CIDR: 215.0.0.0/8 > NetName: DNIC-NET-215 > NetHandle: NET-215-0-0-0-1 > Parent: () > NetType: Direct Assignment > OriginAS: > Organization: DoD Network Information Center (DNIC) > RegDate: 1998-06-04 > Updated: 2011-06-21 > Ref: https://whois.arin.net/rest/net/NET-215-0-0-0-1 > > > > OrgName: DoD Network Information Center > OrgId: DNIC > Address: 3990 E. Broad Street > City: Columbus > StateProv: OH > > So how is someone on a Dutch ISP using my server to mess with a US DoD ip > address ? > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20171230/8ae28c45/attachment.html>
sean darcy
2018-Jan-02 22:23 UTC
[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??
On 12/30/2017 08:10 PM, Antony Stone wrote:> On Sunday 31 December 2017 at 00:49:17, sean darcy wrote: > >> I've been getting a lot of timeouts on non-critical invite transactions. > >> So how is someone on a Dutch ISP using my server to mess with a US DoD >> ip address ? > > What's your setting for "allowguest" (under [general]) in > /etc/asterisk/sip.conf ? > > What are your firewall rules for UDP 5060? > > > Antony. >allowguest=no alwaysauthreject = yes The only firewall rules for UDP 5060 forward the packets to asterisk. sean
sean darcy
2018-Jan-02 22:30 UTC
[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??
On 12/30/2017 08:18 PM, Dovid Bender wrote:> Script kiddies trying to find vulnerable systems that they can make > calls on. Lock down the box with iptables and use fail2ban to block > them. The via is probably bogus unless a box at the DoD was comprimised. > > > > On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com > <mailto:seandarcy2 at gmail.com>> wrote: > > I've been getting a lot of timeouts on non-critical invite > transactions. I turned on sip debug. They were the result of SIP > invites like this: > > Retransmitting #10 (NAT) to 185.107.94.10:13057 > <http://185.107.94.10:13057>: > SIP/2.0 401 Unauthorized > Via: SIP/2.0/UDP > 215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057 > From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e > To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b > Call-ID: 5YpLDUSIs6l3xbDXsurYTu.. > CSeq: 1 INVITE > Server: Asterisk PBX 13.19.0-rc1 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, > INFO, PUBLISH, MESSAGE > Supported: replaces, timer > WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", > nonce="14be1363" > Content-Length: 0 > > --- > ?WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout > reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1 > (Non-critical Response) -- See > https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions > <https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions> > Packet timed out after 32000ms with no response > ?WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on > 5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction. > > Looking up the ip addresses : > > whois 185.107.94.10 > ............. > inetnum:? ? ? ? 185.107.94.0 - 185.107.94.255 > netname:? ? ? ? NFORCE_ENTERTAINMENT > descr:? ? ? ? ? Serverhosting > .................. > organisation:? ?ORG-NE3-RIPE > org-name:? ? ? ?NForce Entertainment B.V. > org-type:? ? ? ?LIR > address:? ? ? ? Postbus 1142 > address:? ? ? ? 4700BC > address:? ? ? ? Roosendaal > address:? ? ? ? NETHERLANDS > phone: +31206919299 <tel:%2B31206919299> > ................... > > whois 215.45.145.211 > ................. > NetRange:? ? ? ?215.0.0.0 - 215.255.255.255 > CIDR: 215.0.0.0/8 <http://215.0.0.0/8> > NetName:? ? ? ? DNIC-NET-215 > NetHandle:? ? ? NET-215-0-0-0-1 > Parent:? ? ? ? ? () > NetType:? ? ? ? Direct Assignment > OriginAS: > Organization:? ?DoD Network Information Center (DNIC) > RegDate:? ? ? ? 1998-06-04 > Updated:? ? ? ? 2011-06-21 > Ref: https://whois.arin.net/rest/net/NET-215-0-0-0-1 > <https://whois.arin.net/rest/net/NET-215-0-0-0-1> > > > > OrgName:? ? ? ? DoD Network Information Center > OrgId:? ? ? ? ? DNIC > Address:? ? ? ? 3990 E. Broad Street > City:? ? ? ? ? ?Columbus > StateProv:? ? ? OH > > So how is someone on a Dutch ISP using my server to mess with a US > DoD ip address ? > > > --I don't see how fail2ban would help. asterisk isn't rejecting anything. There's no attempt with username/password. How could I use iptables to "lock it down" ? We get sip calls from all over. Is there something about the incoming packet we could use ? For instance , any packet containing a VIA instruction ? For that matter, can SIP be configured to drop any VIA request? sean