similar to: SIP flood attacK

Is there a way to drop a ip connection to asterisk after a number of register attempts. I have been having issues with hackers doing registration scanning against our server. We block their address at the fire wall but since asterisk does not force a drop of the connect after so many bad reg attempts I can't enforce the block until they drop and try again. This allows them to run the box

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

Hi, Got some great news a few days ago from Sandro Gauci (@SandroGauci) and we'll be talking about this with him this Friday at 1PM. SIPVicious, the free security tools for SIP scanning, now include a new tool: svcrash. It is aimed at helping system administrators stop bandwidth consuming scans making use of svwar and svcrack. Here is the announcement on SIPViscious blog:

Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you

An attacker is scanning my Asterisk Switch to gain illegitimate access to VoIP call functionality. Using a sip scanning tool, *it* sends REGISTERs with random identities. And when it discovers one identity subscribed in my switch, it tries to authenticate with random passwords using this user name. For the moment, I have replaced this account. And also blocked the IP it has used but each time

Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples:

hi i''ve created an emergingthreats fwrules ipset updater for use with my shorewall. maybe others find this usefull too. short howto: * get bash script (emerging-ipset-update.txt) from http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules * add the configured ipsets to shorewall configfile "blacklist" * if not already configured: configure your interfaces for

I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and abuse at staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. I have an ADSL connection and responding to these REGISTERS was consuming all

Hello everyone, is a pleasure to be here. I have a problem with my server, it runs qmail SMTP and protect it with shorewall. Since yesterday I get syn flood attacks on port 25, which means that no longer meet. How can I stop this with shorewall? my setup is as follows. zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks dmz DMZ

HI ALL got small question i use call-limit=1 on peers but call limit is not working if user is not registered on PBX and making calls so the main question is -- how to Disallow CALLS without registering on PBX -- Best regards Antony tel. +380669197533 tel2. +380636564340 Paypal http://paypal.me/Satskiy

Hello, I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and the internet. The servers are being attacked with syn floods and go down multiple times a day. The 7 servers belong to a client, who runs redhat. I am trying to find a way to do some kind of syn flood protection inside the firewall. Any suggestions would be greatly appreciated. -- Ryan James ryan@mac2.net

This module wont compile can anyone give me any assistance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040614/03ae433c/attachment.htm

Hi, I've recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I've had a number of these in the past. The main symptom I noticed previously was, because Asterisk was responding to each registration request it received, it was very quickly using up my 448 kbps upload limit for my home ADSL connection: any

Samba 3.4.7 Ubuntu 10.04 Has anyone out there got Xerox 64 bit drivers working in a point and print samba set up? And if so, which Xerox drivers? And which method of driver installation? I'm at a complete loss. We currently have an environment with 500 + desktops and a couple dozen Xerox workgroup docucolor MFPs that are running fine now with XP clients and a Samba print server. We're

I wish to do a stacked area chart to show how relative proportions of species within a stand have changed over time. I know this is simple, but can someone point me to the right function (if it exists). I have not had any luck finding it in the R-help, but maybe I am searching using the wrong keywords. Thanks, Mike Mike Saunders Research Assistant Forest Ecosystem Research Program Department

I beg to differ. Digium is hiding from the real world and somebody is going take the software and run with it. My customers lost in excess of $50.000 and cut my pay in half, because of hackers. The hackers figured out how to scan every asterisk for weak passwords or open ports, and bang them real good. We need two things: a) disable in sip.conf the reply for INVITES that have wrong user

Perhaps someone will help me on this :- I have read a lot of examples of syn flood protect on the INPUT chain. That I have no question at all. I wonder if it make sense to perform syn flood protection at the FORWARD chain ? If packets are originated from a LAN worm, and are not targetted at the firewall itself, but rather at hosts in the internet, will it cause problem with the firewall itself,

Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote

I have been trying various ways and looking though the lists, but I can't seem to find a solution. I am running a Ultra2 with Solaris 9 and rsync 2.5.2, with the old -move-files patch. I want to upgrade to 2.6.3 with the delete-sent-files patch. Which I understand is the new and improved version serving the same purpose. Unfortunately my patch under Solaris did'nt work, so I d/l

Interesting read in Alec Saunders blog today. http://saunderslog.com/2007/03/01/mashable-telcos/ Thought it may interest some people on this list. As food for thought, why it is that ITSP's haven't come up with more 'interesting' voice applications? When asterisk first became available I thought it was the beginning of seeing really neat applications, think Verzion's