Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. Any ideas? Mike Diehl.
On Tue, Aug 15, 2017 at 2:37 PM, mdiehl <mdiehlenator at gmail.com> wrote:> Hi all, > > Lately, I've seen an increase in the number of attacks against my system > from the so-called "Friendly Scanner." When one of these script kiddies > targets my server, all I see for symptoms is a few of my trunks become > lagged due to server load and a stream of messages on the console that > resemble this: > > [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 > [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 > [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 > [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 > [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 > > > I have to turn on sip debugging to find out who's hitting me. However, I > can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want > watch for? I watch for PeerStatus, but since there's no actual peer in the > attack, I don't seem to get an event from AMI. > > Any ideas? >There is an AMI security class that you can use to monitor the AMI security events. See manager.conf.sample Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170815/97ed60eb/attachment.html>
Hi Mike In this case, if it?s coming from friendly scanner why not drop the packets at the firewall layer so that Asterisk never sees them? Mark> On 15 Aug 2017, at 20:37, mdiehl <mdiehlenator at gmail.com> wrote: > > Hi all, > > Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: > > [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 > [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 > [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 > [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 > [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 > > > I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. > > Any ideas? > > Mike Diehl. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Hi Mike, On 15-08-17 21:37, mdiehl wrote:> Hi all, > > Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this:[snip]> I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. > > Any ideas?You can block sipvicious/friendly scanner in iptables with something like: -A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP You can also look at xtables with geoip to drop countries (per destination port) that should not connect to your Asterisk box. It's a big hammer but it works really well. Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. That's what the telco's/service providers do. HTH, Patrick
Hi! You can also consider using fail2ban but it's more suitable to block bruteforce attempts. On Tue, Aug 15, 2017, 11:56 PM Patrick Laimbock <patrick at laimbock.com> wrote:> Hi Mike, > > On 15-08-17 21:37, mdiehl wrote: > > Hi all, > > > > Lately, I've seen an increase in the number of attacks against my system > from the so-called "Friendly Scanner." When one of these script kiddies > targets my server, all I see for symptoms is a few of my trunks become > lagged due to server load and a stream of messages on the console that > resemble this: > [snip] > > I have to turn on sip debugging to find out who's hitting me. However, > I can't just leave it on because it would kill my logging system. > > > > So, how are other people handling this? Is there an AMI event I want > watch for? I watch for PeerStatus, but since there's no actual peer in the > attack, I don't seem to get an event from AMI. > > > > Any ideas? > > You can block sipvicious/friendly scanner in iptables with something like: > > -A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" > --algo bm -j DROP > > You can also look at xtables with geoip to drop countries (per > destination port) that should not connect to your Asterisk box. It's a > big hammer but it works really well. > > Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. > That's what the telco's/service providers do. > > HTH, > Patrick > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170816/cd27f90b/attachment.html>
Telium Technical Support
2017-Aug-17 01:51 UTC
[asterisk-users] Detecting DoS attacks via SIP
Keep in mind that the attacks you are seeing in the log are ONLY the ones that Asterisk is detecting and rejecting. All other attacks aren't even showing up! There's a good discussion of how to secure your PBX here: https://www.voip-info.org/wiki/view/asterisk+security In general, don't let the malevolent traffic get as far as the PBX (block at the firewall). Also, Digium regularly warns users that fail2ban is NOT a security system: http://forums.asterisk.org/viewtopic.php?p=159984 -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mdiehl Sent: Tuesday, August 15, 2017 3:38 PM To: asterisk-users at lists.digium.com Subject: [asterisk-users] Detecting DoS attacks via SIP Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. Any ideas? Mike Diehl. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Well, correct me if I'm wrong, but I would say this conversation you have posted is a bit outdated, now fail2ban can be used with asterisk security log https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger. On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <support at telium.ca> wrote:> Keep in mind that the attacks you are seeing in the log are ONLY the ones > that Asterisk is detecting and rejecting. All other attacks aren't even > showing up! > > There's a good discussion of how to secure your PBX here: > https://www.voip-info.org/wiki/view/asterisk+security > > In general, don't let the malevolent traffic get as far as the PBX (block > at > the firewall). Also, Digium regularly warns users that fail2ban is NOT a > security system: http://forums.asterisk.org/viewtopic.php?p=159984 > > -----Original Message----- > From: asterisk-users-bounces at lists.digium.com > [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mdiehl > Sent: Tuesday, August 15, 2017 3:38 PM > To: asterisk-users at lists.digium.com > Subject: [asterisk-users] Detecting DoS attacks via SIP > > Hi all, > > Lately, I've seen an increase in the number of attacks against my system > from the so-called "Friendly Scanner." When one of these script kiddies > targets my server, all I see for symptoms is a few of my trunks become > lagged due to server load and a stream of messages on the console that > resemble this: > > [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 > [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 > [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 > [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 > [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 > > > I have to turn on sip debugging to find out who's hitting me. However, I > can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want watch > for? I watch for PeerStatus, but since there's no actual peer in the > attack, I don't seem to get an event from AMI. > > Any ideas? > > Mike Diehl. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170817/59bf8199/attachment.html>