asterisk users - May 2011 - SIP Register DOS attack

Hi List
Recently i have noticed this attack on couple of servers,
usually a foreign IP starts sending tons of register request without any
answer to authentication,
if you type sip show channels in cli you will see tons of these:
1.2.3.4      (None)      2389603298   00101/00001  0x0 (nothing)    No
Rx: REGISTER

since there is no authentication in place, asterisk does not see any failed
register attempt, so there wont be anything added to log file as failed
attempt.
thus fail2ban wont see any activity and wont block the IP.
it simply brings down the internet link and the box due to too many sip
channels.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110531/df967d15/attachment.htm>

On 11-05-31 06:24 PM, Al lists wrote:
> Hi List
> Recently i have noticed this attack on couple of servers,
> usually a foreign IP starts sending tons of register request without any
> answer to authentication,
> if you type sip show channels in cli you will see tons of these:
> 1.2.3.4      (None)      2389603298   00101/00001  0x0 (nothing)    No
> Rx: REGISTER
>
> since there is no authentication in place, asterisk does not see any failed
> register attempt, so there wont be anything added to log file as failed
> attempt.
> thus fail2ban wont see any activity and wont block the IP.
> it simply brings down the internet link and the box due to too many sip
> channels.
>
Do you have:

sip.conf
[general]
allowguest=no

-- 
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org