mosbah abdelkader
2010-Jul-22 10:33 UTC
[asterisk-users] My Switch is being attacked using sip scanner tool (Service Abuse Attack)
An attacker is scanning my Asterisk Switch to gain illegitimate access to VoIP call functionality. Using a sip scanning tool, *it* sends REGISTERs with random identities. And when it discovers one identity subscribed in my switch, it tries to authenticate with random passwords using this user name. For the moment, I have replaced this account. And also blocked the IP it has used but each time it tries to use another IP to scan again. Following is a sample REGISTER request sent by it to my switch (I have hidden some info). REGISTER sip:xx.xx.xx.xx SIP/2.0 *Via: SIP/2.0/UDP 127.0.1.1:5061;branch=xxxxxxxxx**-xxxxxxxxx**;rport* Content-Length: 0 From: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx> Accept: application/sdp *User-Agent: friendly-scanner* To: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx> *Contact: sip:123 at 1.1.1.1 <sip%3A123 at 1.1.1.1>* CSeq: 1 REGISTER Call-ID: 4244603463 Max-Forwards: 70 Please help me resolve this problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100722/1afc4c72/attachment.htm
Gareth Blades
2010-Jul-22 10:39 UTC
[asterisk-users] My Switch is being attacked using sip scanner tool (Service Abuse Attack)
Have a look at fail2ban mosbah abdelkader wrote:> An attacker is scanning my Asterisk Switch to gain illegitimate access > to VoIP call functionality. > > > Using a sip scanning tool, *it* sends REGISTERs with random identities. > And when it discovers one identity subscribed in my switch, it tries to > authenticate with random passwords using this user name. > > > For the moment, I have replaced this account. And also blocked the IP it > has used but each time it tries to use another IP to scan again. > > > Following is a sample REGISTER request sent by it to my switch (I have > hidden some info). > > > REGISTER sip:xx.xx.xx.xx SIP/2.0 > *Via: SIP/2.0/UDP 127.0.1.1:5061;branch=xxxxxxxxx**-xxxxxxxxx**;rport* > Content-Length: 0 > From: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx> > Accept: application/sdp > *User-Agent: friendly-scanner* > To: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx> > *Contact: sip:123 at 1.1.1.1 <mailto:sip%3A123 at 1.1.1.1>* > CSeq: 1 REGISTER > Call-ID: 4244603463 > Max-Forwards: 70 > > > > > Please help me resolve this problem. >
Gordon Henderson
2010-Jul-22 10:43 UTC
[asterisk-users] My Switch is being attacked using sip scanner tool (Service Abuse Attack)
On Thu, 22 Jul 2010, mosbah abdelkader wrote:> An attacker is scanning my Asterisk Switch to gain illegitimate access to > VoIP call functionality.> Please help me resolve this problem.Read The Fine Archives. And more importantly, if you have not updated your sip.conf file to add in: alwaysauthreject=yes then why not? Gordon
Stefan Schmidt
2010-Jul-22 11:06 UTC
[asterisk-users] My Switch is being attacked using sip scanner tool (Service Abuse Attack)
Hello, looks like sipvicous. there is allready a new version to break such attacks using sipvicous. http://blog.sipvicious.org/ best regards. steve smith mosbah abdelkader schrieb:> An attacker is scanning my Asterisk Switch to gain illegitimate access > to VoIP call functionality. > > > Using a sip scanning tool, *it* sends REGISTERs with random > identities. And when it discovers one identity subscribed in my > switch, it tries to authenticate with random passwords using this user > name. > > > For the moment, I have replaced this account. And also blocked the IP > it has used but each time it tries to use another IP to scan again. > > > Following is a sample REGISTER request sent by it to my switch (I have > hidden some info). > > > REGISTER sip:xx.xx.xx.xx SIP/2.0 > *Via: SIP/2.0/UDP 127.0.1.1:5061;branch=xxxxxxxxx**-xxxxxxxxx**;rport* > Content-Length: 0 > From: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx> > Accept: application/sdp > *User-Agent: friendly-scanner* > To: "xxxxxxxxx" <sip:xxxxxxxxx at xx.xx.xx.xx> > *Contact: sip:123 at 1.1.1.1 <mailto:sip%3A123 at 1.1.1.1>* > CSeq: 1 REGISTER > Call-ID: 4244603463 > Max-Forwards: 70 > > > > > Please help me resolve this problem.-- F?r weitere Fragen stehen wir gerne unter voip at sil.at oder 059944 - 2440 zur Verf?gung. Mit freundlichen Gr?ssen -- Stefan Schmidt Sysadmin/VOIP // voip at sil.at // Tel 059944-2440// ------------------------------------------------- SILVER SERVER GmbH // Lorenz-Mandl-Gasse 33/1 // A-1160 Wien // Fax 059944-9000 // www.sil.at // -------------------------------------------------