Hello all. I was recently the victim of a SIP flood attack. I'm wondering what is the best method to prevent such things in the future. Many thanks Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101003/2e254523/attachment.htm
Make sure you have allowguest=no in your sip.conf, the default is yes, unless you really do want anonymous guests. Also it might pay to consider http://www.emergingthreats.net/index.php/rules-mainmenu-38.html Alec Davis _____ From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Greg Saunders Sent: Monday, 4 October 2010 9:20 a.m. To: asterisk-users at lists.digium.com Subject: [asterisk-users] SIP flood attacK Hello all. I was recently the victim of a SIP flood attack. I'm wondering what is the best method to prevent such things in the future. Many thanks Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101004/a681ad09/attachment.htm
On Sun, Oct 03, 2010 at 02:19:35PM -0600, Greg Saunders wrote:> Hello all. I was recently the victim of a SIP flood attack. I'm wondering > what is the best method to prevent such things in the future.In sip.conf: [general] alwaysauthreject = yes The attacking program is probably svwar.py (part of SIPVicious). It will give up as soon as it realizes it can't tell the difference between attempting to register an invalid extension and a valid one (with an arbitrary password). It's the default in 1.8, but the option goes back at least to 1.4. -- Barry
On 03/10/10 21:19, Greg Saunders wrote:> Hello all. I was recently the victim of a SIP flood attack. I'm > wondering what is the best method to prevent such things in the future. > Many thanks > Greg >do one of the following: - use deny & permit lines in sip.conf &/or iax.conf to restrict any remote Registrations from known IP address ranges only. Or use iptables rules to do something similar. - use a log scanning tool such as fail2ban or ossec which can react on multiple registration fails and block ip addresses in iptables - enforce strict password policy on all users on the system I think simply relying on alwaysauthreject is very dangerous as it's only a matter of time before the attackers catch on to this and carry on attacking regardless. Sure there's less chance of them getting a correct username/secret combination but in the meantime, the register attempts are practically a DoS attack. Plus that setting further breaks the SIP RFC. I also think that assuming that the attackers will eventually get in one way or another is wise. So put in place appropriate measures to limit the damage they can do (daily spend limits with SIP providers, blocking international and/or premium rate numbers etc...). cheers, Paul.