Fwd: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Mickael HUBERT
Hi,
Pike module to stop flood ?
I have add perl script at pike to add firewall rule in my freebsd.

Example opensips conf:

#------------------- module pike ---------------
loadmodule "pike.so"
#----------- pike params ------------
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 80)
modparam("pike", "remove_latency", 130)
modparam("pike", "pike_log_level", -1)

in script:

    if(!pike_check_req())
        {
        if(perl_exec("pikesendmail"))
                {
                        xlog("L_INFO","Fonction perl_exec PIKE OK");
                }
                xlog("L_WARN","PIKE_CHECK_REQ banned IP $si because of flooding requests");
                exit;
        }

perl script:


sub pikesendmail
{
        MIME::Lite->send('smtp', 'smtp.....');

        my $serverIP = OpenSIPS::AVP::get("serverIP");
        my $sourceIP = OpenSIPS::AVP::get("sourceIP");

        my @exceptions = (@my IP);

        my $logfile = "/var/log/pikemodule.log";
        my $date = localtime();
        open LOGFILE, ">>$logfile" or die "cannot open logfile $logfile for append: $!";

        my $subject = "IP $sourceIP blocked by server $serverIP";
        my @body ;
        my @argsbash ;
        my @listeIP ;
        my $maxid ;
        my $newid ;
        my $reglepresente = 0 ;
        my $inhib = 0 ;
        my $i=0;

        for $i (@exceptions)
        {
                if($sourceIP eq $i)
                {
                        $inhib = 1 ;
                        last ;
                }
        }

        foreach(`ipfw list | grep ^005 | awk -F" " {'print \$5'}`)
        {
                push (@listeIP,$_) ;
        }

        for(@listeIP){
                print "$_";
                if($_ =~ $sourceIP){
                        #print "regle deja presente\n";
                        $reglepresente = 1 ;
                }
        }

        if($reglepresente == 0 && $inhib == 0){

                $maxid=`ipfw list | grep ^005 | tail -n1 | awk -F" " {'print \$1'} | sed "s/^00//"`;
                if ($maxid eq ''){
                        $newid = 500 ;
                }else{
                        $newid = $maxid+1 ;
                }


                @argsbash = ("ipfw", "add $newid deny ip from $sourceIP to me");
                if(system(@argsbash) == 0
                        or die "system @argsbash failed: $?"){
                        print LOGFILE "$date INFO : Nouveau blocage pour SIP flooding \n";
                        print LOGFILE "$date INFO : Regle IPFW appliquee ID $newid \n";
                        log(L_INFO, "SIP Flooding, IP $sourceIP blocked with IPFW rule $newid\n");
                }

                open(EMAILB,"/usr/local/libexec/templ_email.tpl") || die ("Erreur d'ouverture de EMAILB") ;
                while (<EMAILB>) {
                        $_ =~ s/PARA1/$sourceIP/g;
                        $_ =~ s/PARA2/$serverIP/g;
                        $_ =~ s/PARA3/$newid/g;
                        push (@body,$_);
                }

                close(EMAILB);

                # Création d'un objet MIME::Lite avec les en-têtes du message
                my $message = MIME::Lite->new(
                        From       => 'OpenSIPS [hidden email]',
                        To         => '',
                        Subject    => "$subject",
                        "X-Mailer" => 'OpenSIPS',
                       Type       => 'text/html',
                        Data       => "@body",
                );

                if($message->send()){
                        print LOGFILE "$date INFO : Mail envoye pour blocage IP $sourceIP\n";
                        log(L_INFO, "SIP Flooding, mail has been sent\n");
                }

                close LOGFILE ;
        }

    return 1;
}

bye

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

shaheryarkh
While this will work for small setups but i have feeling that this won't be suitable for high load productive systems, since it does same thing as fail2ban but runs INLINE, blocking other sip requests till it is finished.

Thank you.


On Wed, Mar 6, 2013 at 8:48 PM, Hubert Mickael <[hidden email]> wrote:
Hi,
Pike module to stop flood ?
I have add perl script at pike to add firewall rule in my freebsd.

Example opensips conf:

#------------------- module pike ---------------
loadmodule "pike.so"
#----------- pike params ------------
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 80)
modparam("pike", "remove_latency", 130)
modparam("pike", "pike_log_level", -1)

in script:

    if(!pike_check_req())
        {
        if(perl_exec("pikesendmail"))
                {
                        xlog("L_INFO","Fonction perl_exec PIKE OK");
                }
                xlog("L_WARN","PIKE_CHECK_REQ banned IP $si because of flooding requests");
                exit;
        }

perl script:


sub pikesendmail
{
        MIME::Lite->send('smtp', 'smtp.....');

        my $serverIP = OpenSIPS::AVP::get("serverIP");
        my $sourceIP = OpenSIPS::AVP::get("sourceIP");

        my @exceptions = (@my IP);

        my $logfile = "/var/log/pikemodule.log";
        my $date = localtime();
        open LOGFILE, ">>$logfile" or die "cannot open logfile $logfile for append: $!";

        my $subject = "IP $sourceIP blocked by server $serverIP";
        my @body ;
        my @argsbash ;
        my @listeIP ;
        my $maxid ;
        my $newid ;
        my $reglepresente = 0 ;
        my $inhib = 0 ;
        my $i=0;

        for $i (@exceptions)
        {
                if($sourceIP eq $i)
                {
                        $inhib = 1 ;
                        last ;
                }
        }

        foreach(`ipfw list | grep ^005 | awk -F" " {'print \$5'}`)
        {
                push (@listeIP,$_) ;
        }

        for(@listeIP){
                print "$_";
                if($_ =~ $sourceIP){
                        #print "regle deja presente\n";
                        $reglepresente = 1 ;
                }
        }

        if($reglepresente == 0 && $inhib == 0){

                $maxid=`ipfw list | grep ^005 | tail -n1 | awk -F" " {'print \$1'} | sed "s/^00//"`;
                if ($maxid eq ''){
                        $newid = 500 ;
                }else{
                        $newid = $maxid+1 ;
                }


                @argsbash = ("ipfw", "add $newid deny ip from $sourceIP to me");
                if(system(@argsbash) == 0
                        or die "system @argsbash failed: $?"){
                        print LOGFILE "$date INFO : Nouveau blocage pour SIP flooding \n";
                        print LOGFILE "$date INFO : Regle IPFW appliquee ID $newid \n";
                        log(L_INFO, "SIP Flooding, IP $sourceIP blocked with IPFW rule $newid\n");
                }

                open(EMAILB,"/usr/local/libexec/templ_email.tpl") || die ("Erreur d'ouverture de EMAILB") ;
                while (<EMAILB>) {
                        $_ =~ s/PARA1/$sourceIP/g;
                        $_ =~ s/PARA2/$serverIP/g;
                        $_ =~ s/PARA3/$newid/g;
                        push (@body,$_);
                }

                close(EMAILB);

                # Création d'un objet MIME::Lite avec les en-têtes du message
                my $message = MIME::Lite->new(
                        From       => 'OpenSIPS [hidden email]',
                        To         => '',
                        Subject    => "$subject",
                        "X-Mailer" => 'OpenSIPS',
                       Type       => 'text/html',
                        Data       => "@body",
                );

                if($message->send()){
                        print LOGFILE "$date INFO : Mail envoye pour blocage IP $sourceIP\n";
                        log(L_INFO, "SIP Flooding, mail has been sent\n");
                }

                close LOGFILE ;
        }

    return 1;
}

bye

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Roberto Spadim
maybe a log file, and deny ip is faster
but if you want it per user, it's slower, since you must check if user is ok in a database
using ip, you only need to log and a external program (ex fail2ban) can block it via iptables, hosts.deny or other method



2013/3/6 Muhammad Shahzad <[hidden email]>
While this will work for small setups but i have feeling that this won't be suitable for high load productive systems, since it does same thing as fail2ban but runs INLINE, blocking other sip requests till it is finished.

Thank you.


On Wed, Mar 6, 2013 at 8:48 PM, Hubert Mickael <[hidden email]> wrote:
Hi,
Pike module to stop flood ?
I have add perl script at pike to add firewall rule in my freebsd.

Example opensips conf:

#------------------- module pike ---------------
loadmodule "pike.so"
#----------- pike params ------------
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 80)
modparam("pike", "remove_latency", 130)
modparam("pike", "pike_log_level", -1)

in script:

    if(!pike_check_req())
        {
        if(perl_exec("pikesendmail"))
                {
                        xlog("L_INFO","Fonction perl_exec PIKE OK");
                }
                xlog("L_WARN","PIKE_CHECK_REQ banned IP $si because of flooding requests");
                exit;
        }

perl script:


sub pikesendmail
{
        MIME::Lite->send('smtp', 'smtp.....');

        my $serverIP = OpenSIPS::AVP::get("serverIP");
        my $sourceIP = OpenSIPS::AVP::get("sourceIP");

        my @exceptions = (@my IP);

        my $logfile = "/var/log/pikemodule.log";
        my $date = localtime();
        open LOGFILE, ">>$logfile" or die "cannot open logfile $logfile for append: $!";

        my $subject = "IP $sourceIP blocked by server $serverIP";
        my @body ;
        my @argsbash ;
        my @listeIP ;
        my $maxid ;
        my $newid ;
        my $reglepresente = 0 ;
        my $inhib = 0 ;
        my $i=0;

        for $i (@exceptions)
        {
                if($sourceIP eq $i)
                {
                        $inhib = 1 ;
                        last ;
                }
        }

        foreach(`ipfw list | grep ^005 | awk -F" " {'print \$5'}`)
        {
                push (@listeIP,$_) ;
        }

        for(@listeIP){
                print "$_";
                if($_ =~ $sourceIP){
                        #print "regle deja presente\n";
                        $reglepresente = 1 ;
                }
        }

        if($reglepresente == 0 && $inhib == 0){

                $maxid=`ipfw list | grep ^005 | tail -n1 | awk -F" " {'print \$1'} | sed "s/^00//"`;
                if ($maxid eq ''){
                        $newid = 500 ;
                }else{
                        $newid = $maxid+1 ;
                }


                @argsbash = ("ipfw", "add $newid deny ip from $sourceIP to me");
                if(system(@argsbash) == 0
                        or die "system @argsbash failed: $?"){
                        print LOGFILE "$date INFO : Nouveau blocage pour SIP flooding \n";
                        print LOGFILE "$date INFO : Regle IPFW appliquee ID $newid \n";
                        log(L_INFO, "SIP Flooding, IP $sourceIP blocked with IPFW rule $newid\n");
                }

                open(EMAILB,"/usr/local/libexec/templ_email.tpl") || die ("Erreur d'ouverture de EMAILB") ;
                while (<EMAILB>) {
                        $_ =~ s/PARA1/$sourceIP/g;
                        $_ =~ s/PARA2/$serverIP/g;
                        $_ =~ s/PARA3/$newid/g;
                        push (@body,$_);
                }

                close(EMAILB);

                # Création d'un objet MIME::Lite avec les en-têtes du message
                my $message = MIME::Lite->new(
                        From       => 'OpenSIPS [hidden email]',
                        To         => '',
                        Subject    => "$subject",
                        "X-Mailer" => 'OpenSIPS',
                       Type       => 'text/html',
                        Data       => "@body",
                );

                if($message->send()){
                        print LOGFILE "$date INFO : Mail envoye pour blocage IP $sourceIP\n";
                        log(L_INFO, "SIP Flooding, mail has been sent\n");
                }

                close LOGFILE ;
        }

    return 1;
}

bye

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: <a href="tel:%2B49%20176%2099%2083%2010%2085" value="+4917699831085" target="_blank">+49 176 99 83 10 85
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Roberto Spadim
SPAEmpresarial

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users