asterisk users - Aug 2017 - Detecting DoS attacks via SIP

Hi all,

Lately, I've seen an increase in the number of attacks against my system
from the so-called "Friendly Scanner."  When one of these script
kiddies targets my server, all I see for symptoms is a few of my trunks become
lagged due to server load and a stream of messages on the console that resemble
this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I
can't just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch for?
I watch for PeerStatus, but since there's no actual peer in the attack, I
don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

On Tue, Aug 15, 2017 at 2:37 PM, mdiehl <mdiehlenator at gmail.com> wrote:
> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my
system
> from the so-called "Friendly Scanner."  When one of these script
kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However,
I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want
> watch for?  I watch for PeerStatus, but since there's no actual peer in
the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>
There is an AMI security class that you can use to monitor the AMI security
events.
See manager.conf.sample

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170815/97ed60eb/attachment.html>

Hi Mike

In this case, if it?s coming from friendly scanner why not drop the packets at
the firewall layer so that Asterisk never sees them?

Mark
> On 15 Aug 2017, at 20:37, mdiehl <mdiehlenator at gmail.com> wrote:
> 
> Hi all,
> 
> Lately, I've seen an increase in the number of attacks against my
system from the so-called "Friendly Scanner."  When one of these
script kiddies targets my server, all I see for symptoms is a few of my trunks
become lagged due to server load and a stream of messages on the console that
resemble this:
> 
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
> 
> 
> I have to turn on sip debugging to find out who's hitting me.  However,
I can't just leave it on because it would kill my logging system.
> 
> So, how are other people handling this?  Is there an AMI event I want watch
for?  I watch for PeerStatus, but since there's no actual peer in the
attack, I don't seem to get an event from AMI.
> 
> Any ideas?
> 
> Mike Diehl.
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Check out the new Asterisk community forum at:
https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

Hi Mike,

On 15-08-17 21:37, mdiehl wrote:
> Hi all,
> 
> Lately, I've seen an increase in the number of attacks against my
system from the so-called "Friendly Scanner."  When one of these
script kiddies targets my server, all I see for symptoms is a few of my trunks
become lagged due to server load and a stream of messages on the console that
resemble this:
[snip]
> I have to turn on sip debugging to find out who's hitting me.  However,
I can't just leave it on because it would kill my logging system.
> 
> So, how are other people handling this?  Is there an AMI event I want watch
for?  I watch for PeerStatus, but since there's no actual peer in the
attack, I don't seem to get an event from AMI.
> 
> Any ideas?
You can block sipvicious/friendly scanner in iptables with something like:

-A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" 
--algo bm -j DROP

You can also look at xtables with geoip to drop countries (per 
destination port) that should not connect to your Asterisk box. It's a 
big hammer but it works really well.

Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. 
That's what the telco's/service providers do.

HTH,
Patrick

Hi!
You can also consider using fail2ban but it's more suitable to block
bruteforce attempts.

On Tue, Aug 15, 2017, 11:56 PM Patrick Laimbock <patrick at laimbock.com>
wrote:
> Hi Mike,
>
> On 15-08-17 21:37, mdiehl wrote:
> > Hi all,
> >
> > Lately, I've seen an increase in the number of attacks against my
system
> from the so-called "Friendly Scanner."  When one of these script
kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
> [snip]
> > I have to turn on sip debugging to find out who's hitting me. 
However,
> I can't just leave it on because it would kill my logging system.
> >
> > So, how are other people handling this?  Is there an AMI event I want
> watch for?  I watch for PeerStatus, but since there's no actual peer in
the
> attack, I don't seem to get an event from AMI.
> >
> > Any ideas?
>
> You can block sipvicious/friendly scanner in iptables with something like:
>
> -A INPUT -p udp --dport 5060 -m string --string
"friendly-scanner"
> --algo bm -j DROP
>
> You can also look at xtables with geoip to drop countries (per
> destination port) that should not connect to your Asterisk box. It's a
> big hammer but it works really well.
>
> Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box.
> That's what the telco's/service providers do.
>
> HTH,
> Patrick
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170816/cd27f90b/attachment.html>

Keep in mind that the attacks you are seeing in the log are ONLY the ones
that Asterisk is detecting and rejecting.  All other attacks aren't even
showing up!

There's a good discussion of how to secure your PBX here:
https://www.voip-info.org/wiki/view/asterisk+security

In general, don't let the malevolent traffic get as far as the PBX (block at
the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
security system: http://forums.asterisk.org/viewtopic.php?p=159984

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mdiehl
Sent: Tuesday, August 15, 2017 3:38 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Detecting DoS attacks via SIP

Hi all,

Lately, I've seen an increase in the number of attacks against my system
from the so-called "Friendly Scanner."  When one of these script
kiddies
targets my server, all I see for symptoms is a few of my trunks become
lagged due to server load and a stream of messages on the console that
resemble this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I
can't just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch
for?  I watch for PeerStatus, but since there's no actual peer in the
attack, I don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Well, correct me if I'm wrong, but I would say this conversation you have
posted is a bit outdated, now fail2ban can be used with asterisk security
log
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.

On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <support at
telium.ca>
wrote:
> Keep in mind that the attacks you are seeing in the log are ONLY the ones
> that Asterisk is detecting and rejecting.  All other attacks aren't
even
> showing up!
>
> There's a good discussion of how to secure your PBX here:
> https://www.voip-info.org/wiki/view/asterisk+security
>
> In general, don't let the malevolent traffic get as far as the PBX
(block
> at
> the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
> security system: http://forums.asterisk.org/viewtopic.php?p=159984
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mdiehl
> Sent: Tuesday, August 15, 2017 3:38 PM
> To: asterisk-users at lists.digium.com
> Subject: [asterisk-users] Detecting DoS attacks via SIP
>
> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my
system
> from the so-called "Friendly Scanner."  When one of these script
kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However,
I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want watch
> for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>
> Mike Diehl.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170817/59bf8199/attachment.html>