How to protect OpenSIPS from undesidered requests (DoS attack?)

classic Classic list List threaded Threaded
8 messages Options
leo
Reply | Threaded
Open this post in threaded view
|

How to protect OpenSIPS from undesidered requests (DoS attack?)

leo
Hello:

I'm receiving on my OpenSIPS server a lot of register request. I believe that is someone trying to attack the sip service because the source IP is not one that i know. Here is the request:

10:03:54.191249 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)
    199.217.115.214.5981 > X.X.X.X.5060: [udp sum ok] SIP, length: 342
        REGISTER sip:X.X.X.X SIP/2.0
        Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2684304106;rport
        Content-Length: 0
        From: "5988" <sip:5988@X.X.X.X>
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "5988" <sip:5988@X.X.X.X>
        Contact: sip:123@1.1.1.1
        CSeq: 1 REGISTER
        Call-ID: 3943182463
        Max-Forwards: 70

How could i prevent this kind of requests?
Thanks a lot.

Leo.
Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

alexandre Moutot
Hello,

Maybe you should use fail2ban : http://www.opensips.org/Resources/DocsTutFail2ban

Regards,

MOUTOT Alexandre
[hidden email]

----- Original Message -----

> From: "leo" <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, March 6, 2013 10:10:35 AM
> Subject: [OpenSIPS-Users] How to protect OpenSIPS from undesidered requests (DoS attack?)
> Hello:
>
> I'm receiving on my OpenSIPS server a lot of register request. I
> believe
> that is someone trying to attack the sip service because the source IP
> is
> not one that i know. Here is the request:
>
> 10:03:54.191249 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4
> (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF],
> proto
> UDP (17), length 370)
> 199.217.115.214.5981 > X.X.X.X.5060: [udp sum ok] SIP, length: 342
> REGISTER sip:X.X.X.X SIP/2.0
> Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2684304106;rport
> Content-Length: 0
> From: "5988" <sip:[hidden email]>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:[hidden email]>
> Contact: sip:123@1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3943182463
> Max-Forwards: 70
>
> How could i prevent this kind of requests?
> Thanks a lot.
>
> Leo.
>
>
>
> --
> View this message in context:
> http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091.html
> Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Nick Altmann
In reply to this post by leo
        if ($ua =~ "friendly-scanner") {
                xlog("L_ERR", "Attack attempt - Request dropped");
                drop();
        }

--
Nick

2013/3/6 leo <[hidden email]>
Hello:

I'm receiving on my OpenSIPS server a lot of register request. I believe
that is someone trying to attack the sip service because the source IP is
not one that i know. Here is the request:

10:03:54.191249 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4
(0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto
UDP (17), length 370)
    199.217.115.214.5981 > X.X.X.X.5060: [udp sum ok] SIP, length: 342
        REGISTER sip:X.X.X.X SIP/2.0
        Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2684304106;rport
        Content-Length: 0
        From: "5988" <sip:[hidden email]>
        Accept: application/sdp
        User-Agent: friendly-scanner
        To: "5988" <sip:[hidden email]>
        Contact: [hidden email]
        CSeq: 1 REGISTER
        Call-ID: 3943182463
        Max-Forwards: 70

How could i prevent this kind of requests?
Thanks a lot.

Leo.



--
View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
leo
Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

leo
In reply to this post by alexandre Moutot
Hello Alexandre:

I've enabled fail2ban according the instructions in the page but it seems opensips is not loggin the register attemps. Should i increment the debug level?

 ####### Global Parameters #########
debug=3
log_stderror=no
#Changed for fail2ban
#log_facility=LOG_LOCAL0
log_facility=LOG_LOCAL7

Thanks,

Leo

Da: alexandre Moutot <[hidden email]>
A: OpenSIPS users mailling list <[hidden email]>
Inviato: Mercoledì 6 Marzo 2013 10:27
Oggetto: Re: [OpenSIPS-Users] How to protect OpenSIPS from undesidered requests (DoS attack?)

Hello,

Maybe you should use fail2ban : http://www.opensips.org/Resources/DocsTutFail2ban

Regards,

MOUTOT Alexandre
[hidden email]

----- Original Message -----

> From: "leo" <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, March 6, 2013 10:10:35 AM
> Subject: [OpenSIPS-Users] How to protect OpenSIPS from undesidered requests (DoS attack?)
> Hello:
>
> I'm receiving on my OpenSIPS server a lot of register request. I
> believe
> that is someone trying to attack the sip service because the source IP
> is
> not one that i know. Here is the request:
>
> 10:03:54.191249 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4
> (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF],
> proto
> UDP (17), length 370)
> 199.217.115.214.5981 > X.X.X.X.5060: [udp sum ok] SIP, length: 342
> REGISTER sip:X.X.X.X SIP/2.0
> Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2684304106;rport
> Content-Length: 0
> From: "5988" <sip:[hidden email]>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "5988" <sip:[hidden email]>
> Contact: sip:123@1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3943182463
> Max-Forwards: 70
>
> How could i prevent this kind of requests?
> Thanks a lot.
>
> Leo.
>
>
>
> --
> View this message in context:
> http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091.html
> Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

bakko
Hello,

I'm using this configuration:

if (is_method("REGISTER")) {
         $var(auth_code) = www_authorize("", "subscriber");
         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
                 xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
$var(auth_code)");
         }
         if ( $var(auth_code) < 0 ) {
                 www_challenge("", "0");
                 exit;
         }
         save("location");
         exit;

on

/etc/fail2ban/filter.d/opensips.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = opensips

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = Auth error for .* from <HOST> cause -[0-9]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and on /etc/fail2ban/jail.conf

[opensips]
enabled  = true
filter   = opensips
action   = iptables-allports[name=opensips, protocol=all]
            sendmail-whois[name=opensips, dest=[hidden email],
sender=[hidden email]]
logpath  = /var/log/opensips.log
maxretry = 3
bantime = 7200


Regards


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
leo
Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

leo
Hello Bakko:

I've it configured as you but i'm still not having events in opensips.log file like "Auth error for $fU@$fd from $si cause" for packets:

19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)
    199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: 342
    REGISTER sip:[my SIP Server] SIP/2.0
    Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport
    Content-Length: 0
    From: "5988" <sip:5988@[my SIP Server]>
    Accept: application/sdp
    User-Agent: friendly-scanner
    To: "5988" <sip:5988@[my SIP Server]>
    Contact: sip:123@1.1.1.1
    CSeq: 1 REGISTER
    Call-ID: 1787915151
    Max-Forwards: 70


I've also added Nick's suggestion:
if ($ua =~ "friendly-scanner") {
                xlog("L_ERR", "Attack attempt - Request dropped");
                drop();
        }

But i don't have neither those events in the opensips.log file.

Any clue?
Thanks,

Leo


Da: bakko [via OpenSIPS (Open SIP Server)] <[hidden email]>
A: leo <[hidden email]>
Inviato: Mercoledì 6 Marzo 2013 11:49
Oggetto: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Hello,

I'm using this configuration:

if (is_method("REGISTER")) {
         $var(auth_code) = www_authorize("", "subscriber");
         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
                 xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
$var(auth_code)");
         }
         if ( $var(auth_code) < 0 ) {
                 www_challenge("", "0");
                 exit;
         }
         save("location");
         exit;

on

/etc/fail2ban/filter.d/opensips.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = opensips

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = Auth error for .* from <HOST> cause -[0-9]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and on /etc/fail2ban/jail.conf

[opensips]
enabled  = true
filter   = opensips
action   = iptables-allports[name=opensips, protocol=all]
            sendmail-whois[name=opensips, dest=[hidden email],
sender=[hidden email]]
logpath  = /var/log/opensips.log
maxretry = 3
bantime = 7200


Regards


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), click here.
NAML


Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

shaheryarkh
A few suggestions (mostly already suggested by many guys in this thread, i am only arranging their order to a secure setup), opensips log level should be at least 2.

1. I usually filter out all known nasty users / attackers right in sanity check section of default request route. My sanity check section structured something like this,

    a). check max forwards.
    b). check message size.
    c). check user-agent string against filter list, you can use permissions module for this as well as hard code user-agents as Nick suggested.

############################################
route {
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
};

if (msg:len > max_len) {
sl_send_reply("513","Message Too Big");
exit;
};

if ($ua =~ "friendly-scanner") {
xlog("L_WARN", "[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus device '$ua' \n");
exit;
};
...
#####################################


2. Then in authentication section, i make sure to authenticate both INVITE and REGISTER requests, you check ret-code for both www-authorize and proxy-authorize methods and if it is -1 or -2 then do xlog to print log on intruder which is picked by fail2ban to block the user (make sure text pattern in your xlog matches failregex in fail2ban! ).

#####################################
...
if (!www_authorize("","subscriber")) {
switch ($retcode) {
case -1:
xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', peer not found - User-Agent: '$ua' \n");
break;
case -2:
xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', wrong password - User-Agent: '$ua' \n");
break;
                                ...
};

www_challenge("", "1");
exit;
};
...
#######################################

Thank you.


On Wed, Mar 6, 2013 at 7:58 PM, leo <[hidden email]> wrote:
Hello Bakko:

I've it configured as you but i'm still not having events in opensips.log file like "Auth error for $fU@$fd from $si cause" for packets:

19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)
    199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: 342
    REGISTER sip:[my SIP Server] SIP/2.0
    Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport
    Content-Length: 0
    From: "5988" <sip:5988@[my SIP Server]>
    Accept: application/sdp
    User-Agent: friendly-scanner
    To: "5988" <sip:5988@[my SIP Server]>

    Contact: [hidden email]
    CSeq: 1 REGISTER
    Call-ID: 1787915151
    Max-Forwards: 70


I've also added Nick's suggestion:

if ($ua =~ "friendly-scanner") {
                xlog("L_ERR", "Attack attempt - Request dropped");
                drop();
        }

But i don't have neither those events in the opensips.log file.

Any clue?
Thanks,

Leo


Da: bakko [via OpenSIPS (Open SIP Server)] <[hidden email]>
A: leo <[hidden email]>
Inviato: Mercoledì 6 Marzo 2013 11:49
Oggetto: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Hello,

I'm using this configuration:

if (is_method("REGISTER")) {
         $var(auth_code) = www_authorize("", "subscriber");
         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
                 xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
$var(auth_code)");
         }
         if ( $var(auth_code) < 0 ) {
                 www_challenge("", "0");
                 exit;
         }
         save("location");
         exit;

on

/etc/fail2ban/filter.d/opensips.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = opensips

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = Auth error for .* from <HOST> cause -[0-9]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

and on /etc/fail2ban/jail.conf

[opensips]
enabled  = true
filter   = opensips
action   = iptables-allports[name=opensips, protocol=all]
            sendmail-whois[name=opensips, dest=[hidden email],
sender=[hidden email]]
logpath  = /var/log/opensips.log
maxretry = 3
bantime = 7200


Regards


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), click here.
NAML




View this message in context: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Sent from the OpenSIPS - Users mailing list archive at Nabble.com.

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: How to protect OpenSIPS from undesidered requests (DoS attack?)

Stefano Pisani
In reply to this post by leo
Il 06/03/2013 19:58, leo ha scritto:
> I've also added Nick's suggestion:
> if ($ua =~ "friendly-scanner") {
>                 xlog("L_ERR", "Attack attempt - Request dropped");
>                 drop();
>         }
>
> But i don't have neither those events in the opensips.log file.

it depends where in the script you added these lines, have you use the
right place?

s

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users