[Freeswitch-dev] Bruteforce hack
jay binks
jaybinks at gmail.com
Wed Mar 30 04:52:38 MSD 2011
check out Fail2Ban and turn on the correct sofia settings to enable fail2ban
compatible logging.
http://wiki.freeswitch.org/wiki/Fail2ban
that will help protect you.
I think the plan is not to bloat freeswitch with a million features, when
they can be built around freeswitch..
also its better to do the banning at iptables that way the FS process dosnt
even see the traffic.
in my situation we take fail2ban a step further and we add a route to our
BGP blackhole setup for repeat offenders.
that way it dosnt even traverse the network.
its just more flexible this way, then you can apply your own logic easily.
Jay
On Wed, Mar 30, 2011 at 10:44 AM, Oleg Khovayko <khovayko at gmail.com> wrote:
> Hi,
>
> Couple months ago I have repotred strange behaviour of FreeSWITCH: 100%
> CPU usage,
> and leak memory.
>
> Today I catch this situation, and viewed logs.
> found something like ping-pong with SIP-port attack:
>
> FS log:
>
> 2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.938408 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.957793 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.981472 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:42.999635 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.028769 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.048709 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.064379 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.080898 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.099860 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.118179 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.133097 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.149791 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.172722 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.187540 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.203845 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.219207 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.233950 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.250684 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.267531 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
> 2011-03-29 20:12:43.283970 [WARNING] sofia_reg.c:1246 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
> 118.175.22.75
>
> TCPDUMP output.
>
>
> 20:19:11.863940 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:19:11.914740 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 330
> 20:19:11.917521 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:19:11.931544 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 330
> 20:19:11.934351 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:19:11.946799 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:19:11.949370 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 330
> 20:19:11.954355 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:19:11.957996 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
> 20:19:11.958972 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 604
> 20:19:11.959998 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
> 20:19:11.961019 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
> 20:19:11.961814 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 329
> 20:19:11.962213 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
> 20:19:11.963141 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
> 20:19:11.964106 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 604
> 20:19:11.965059 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 604
> 20:19:11.966066 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 604
> 20:19:11.967018 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 604
> 20:19:11.967965 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
> 20:19:11.968930 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
> length: 605
>
> Also, I see, attack continues, when I stopped FreeSWITCH:
>
> 20:21:46.045995 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:21:46.046088 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.051280 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:21:46.051378 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.059059 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:21:46.059154 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.061089 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 330
> 20:21:46.061187 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.065982 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:21:46.066076 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.073622 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 330
> 20:21:46.073719 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.076260 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:21:46.076352 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.083160 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 331
> 20:21:46.083256 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
> 20:21:46.090586 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
> length: 330
> 20:21:46.090684 IP deskpro.khovayko.com > 118.175.22.75: ICMP
> deskpro.khovayko.com udp port sip unreachable, length 36
>
> So, you can see, this is not wrong FS-activity, this is just attack,
> attempt to hack in by method "brute force and ignorance".
>
> I think, easiest way to protect FS - to dynamically ban IP, from which
> comes attack.
>
> Or, maybe more smooth policy - to count attempts of unsuccessful login
> from some IP, and after threshold - set timewait for this IP.
>
>
> See following sample of pseudocode for demo this idea:
>
> char bantable[1<<12]; // 4K hashtable for ban counter.
>
> int ban_index = hash(user_ip_address) & (sizeof(bantable) - 1);
>
> if(user_login_success())
> bantable[ban_index] = 0; // IP is valid
> else {
> if(bantable[ban_index] < 0)
> sleep(1);
> else
> bantable[ban_index]++;
> }
>
> Idea following - if real user comes in, and will be unlucky (hash as
> same as attacker), he just get 1s delay.
> But, for hacker, it will decrease attack dataflow, and slowing him...
>
>
>
>
>
>
> _______________________________________________
> FreeSWITCH-dev mailing list
> FreeSWITCH-dev at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-dev
> http://www.freeswitch.org
>
--
Sincerely
Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-dev/attachments/20110330/b023b5fc/attachment-0001.html
More information about the FreeSWITCH-dev
mailing list