How block Register attack

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How block Register attack

Nick-2
Hello

I use ngrep watch the proto.
U 2012/01/16 13:34:42.782438 173.0.60.180:5078 -> 10.10.12.70:5060
REGISTER sip:10.10.12.70 SIP/2.0.
Via: SIP/2.0/UDP 173.0.60.180:5078;branch=z9hG4bK-3900389486;rport.
Content-Length: 0.
From: "108" <sip:108@10.10.12.70>.
Accept: application/sdp.
User-Agent: friendly-scanner.
To: "108" <sip:108@10.10.12.70>.
Contact: sip:123@1.1.1.1.
CSeq: 1 REGISTER.
Call-ID: 1312362532.
Max-Forwards: 70.
.

#
U 2012/01/16 13:34:42.782913 173.0.60.180:5078 -> 10.10.12.70:5060
REGISTER sip:10.10.12.70 SIP/2.0.
Via: SIP/2.0/UDP 173.0.60.180:5078;branch=z9hG4bK-4136329935;rport.
Content-Length: 0.
From: "108" <sip:108@10.10.12.70>.
Accept: application/sdp.
User-Agent: friendly-scanner.
To: "108" <sip:108@10.10.12.70>.
Contact: sip:123@1.1.1.1.
CSeq: 1 REGISTER.
Call-ID: 1936335613.
Max-Forwards: 70.
.

#
U 2012/01/16 13:34:42.783353 173.0.60.180:5078 -> 10.10.12.70:5060
REGISTER sip:10.10.12.70 SIP/2.0.
Via: SIP/2.0/UDP 173.0.60.180:5078;branch=z9hG4bK-2752077727;rport.
Content-Length: 0.
From: "108" <sip:108@10.10.12.70>.
Accept: application/sdp.
User-Agent: friendly-scanner.
To: "108" <sip:108@10.10.12.70>.
Contact: sip:123@1.1.1.1.
CSeq: 1 REGISTER.
Call-ID: 3116948484.
Max-Forwards: 70.
.

How to block register attack?

Thanks for your support.
Nick


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: How block Register attack

Andrew Pogrebennyk
On 01/16/2012 06:35 AM, [hidden email] wrote:
> How to block register attack?

That is the exact purpose of ratelimit module.
You can do automatic ratelimit as defined in the params or you can do
forced ratelimiting for every new REGISTER. Please check the readme of
ratelimit module:
http://www.opensips.org/html/docs/modules/1.7.x/ratelimit.html

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: How block Register attack

Jan D.
In reply to this post by Nick-2
Hi,

It's better to drop the connection without sending any packet back. Due to a bug in Friendly-Scanner it sometimes keeps trying to register with the same username again and again, in a bad case resulting in a lot of datatraffic to opensips.

I use this rule in default route:

if($ua=~"friendly-scanner")
{
 xlog("L_ERROR","Auth error for $fU@$fd from $si cause -1 REGISTER username (friendly-scanner)");
 drop();
}

Also log other failures (username or password) and use fail2ban to drop the ip entirly with iptables.

Jan.
Reply | Threaded
Open this post in threaded view
|

Re: How block Register attack

Bogdan-Andrei Iancu-2
In reply to this post by Nick-2
Hi all,

Also, aside checking the callrate (with ratelimit) or the UA (from
script), you should also consider using the pike module for detecting
DOS attackes based on floods.
         http://www.opensips.org/html/docs/modules/1.7.x/pike.html

Regards,
Bogdan

On 01/16/2012 07:35 AM, [hidden email] wrote:

> Hello
>
> I use ngrep watch the proto.
> U 2012/01/16 13:34:42.782438 173.0.60.180:5078 ->  10.10.12.70:5060
> REGISTER sip:10.10.12.70 SIP/2.0.
> Via: SIP/2.0/UDP 173.0.60.180:5078;branch=z9hG4bK-3900389486;rport.
> Content-Length: 0.
> From: "108"<sip:108@10.10.12.70>.
> Accept: application/sdp.
> User-Agent: friendly-scanner.
> To: "108"<sip:108@10.10.12.70>.
> Contact: sip:123@1.1.1.1.
> CSeq: 1 REGISTER.
> Call-ID: 1312362532.
> Max-Forwards: 70.
> .
>
> #
> U 2012/01/16 13:34:42.782913 173.0.60.180:5078 ->  10.10.12.70:5060
> REGISTER sip:10.10.12.70 SIP/2.0.
> Via: SIP/2.0/UDP 173.0.60.180:5078;branch=z9hG4bK-4136329935;rport.
> Content-Length: 0.
> From: "108"<sip:108@10.10.12.70>.
> Accept: application/sdp.
> User-Agent: friendly-scanner.
> To: "108"<sip:108@10.10.12.70>.
> Contact: sip:123@1.1.1.1.
> CSeq: 1 REGISTER.
> Call-ID: 1936335613.
> Max-Forwards: 70.
> .
>
> #
> U 2012/01/16 13:34:42.783353 173.0.60.180:5078 ->  10.10.12.70:5060
> REGISTER sip:10.10.12.70 SIP/2.0.
> Via: SIP/2.0/UDP 173.0.60.180:5078;branch=z9hG4bK-2752077727;rport.
> Content-Length: 0.
> From: "108"<sip:108@10.10.12.70>.
> Accept: application/sdp.
> User-Agent: friendly-scanner.
> To: "108"<sip:108@10.10.12.70>.
> Contact: sip:123@1.1.1.1.
> CSeq: 1 REGISTER.
> Call-ID: 3116948484.
> Max-Forwards: 70.
> .
>
> How to block register attack?
>
> Thanks for your support.
> Nick
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


--
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
OpenSIPS solutions and "know-how"


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users