Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP ?Its something like this Registration from '"30" <sp:30 at my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password? ?and there are approx 10 request per minute of this type. Please suggest some way to stop this.? -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/d51df768/attachment.html>
Hi,
Change the protocol from tcp to udp in iptables.
~Arun
On 27 Jun 2014 20:07, "Anurag Rana" <anuragrana31189 at
gmail.com> wrote:
>
> Hi All.
>
> Someone is attacking on my SIP server.
> There are lot of requests coming in and I am not able to stop it because I
> am unable to detect the IP address.
> I used wireshark to capture the packets.
>
> Although I am using very strong password for my SIP users but still is
> there any way to drop these packets and stop this attack.
>
> I tried dropping packet after matching some string (most of the packets
> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it
failed.
> Packets are still flowing in.
>
> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string
"VaxSIPUserAgent" --algo bm -j DROP
>
>
> ?Its something like this
>
> Registration from '"30" <sp:30 at my_public_ip:5060>
failed for
> '192.168.xxx.xxx:6373' - Wrong Password?
>
> ?and there are approx 10 request per minute of this type.
>
> Please suggest some way to stop this.?
>
>
> --
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly
life
> in the midst of these materialistic turbulences.
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/d6280ef1/attachment.html>
On 27 Jun 2014, at 15:37, Anurag Rana <anuragrana31189 at gmail.com> wrote:> There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. > I used wireshark to capture the packets.If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can?t be forged. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/d3d1670b/attachment.html>
Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189 at gmail.com> wrote:> > Hi All. > > Someone is attacking on my SIP server. > There are lot of requests coming in and I am not able to stop it because I > am unable to detect the IP address. > I used wireshark to capture the packets. > > Although I am using very strong password for my SIP users but still is > there any way to drop these packets and stop this attack. > > I tried dropping packet after matching some string (most of the packets > from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. > Packets are still flowing in. > > iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP > > > ?Its something like this > > Registration from '"30" <sp:30 at my_public_ip:5060> failed for > '192.168.xxx.xxx:6373' - Wrong Password? > > ?and there are approx 10 request per minute of this type. > > Please suggest some way to stop this.? > > > -- > Anurag Rana > http://newbie42.blogspot.in/ > On the trampoline of life's experiences, Striving towards a saintly life > in the midst of these materialistic turbulences. > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/bd746762/attachment.html>
> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP > > Its something like this > > Registration from '"30" <sp:30 at my_public_ip:5060> failed for > '192.168.xxx.xxx:6373' - Wrong Password > > and there are approx 10 request per minute of this type. > > Please suggest some way to stop this.In my experience you need to do 2 things to fix your problem. #1) Get the real IP address of the attacker. First you will need to recompile Asterisk to enable the log that shows the IP of the attacker. It apparently is only set for debug so you need to edit chan_sip.c In chan_sip.c if (!peer) { if (debug) *** <--- delete this line ast_verbose("No matching peer for '%s' from '%s'\n", of, ast_sockaddr_stringify(&p->recv)); } *** <--- delete this line This will enable logs like: VERBOSE[24693] chan_sip.c: No matching peer for '1000' from '104.14.190.14:5080 #2) Now that you have the IP of the attacker, just use fail2ban to block him automatically. Make sure you test out your rules. For example the above log is detected with fail2ban rule: VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from '<HOST>(:[0-9]+)?'$> > > -- > Anurag Rana > http://newbie42.blogspot.in/ > On the trampoline of life's experiences, Striving towards a saintly > life in the midst of these materialistic turbulences. > > > >-- Technical Support http://www.cellroute.net -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140629/1dc7f522/attachment.html>