[Freeswitch-users] INVITE DoS Prevention

covici at ccs.covici.com covici at ccs.covici.com
Mon Feb 21 12:31:18 MSK 2011 

I would change sip auth failure to challenge and then have sufficient
times to only block if there are too many challenges in a certain time.
I am not even sure the failure works any more in recent gits.

Spencer Thomason <spencer at 5ninesolutions.com> wrote:

> Yes, that works great if they respond to the challenge with a failed  
> auth. But the scenario I'm trying to prevent is if they just send the  
> INVITE and never respond to the challenge.  Fail2Ban will not work as  
> every endpoint will initially send an INVITE and receive a challenge.   
> Legit calls will then respond correctly and not be logged as a SIP  
> auth failure but every call that is challenged will show up as SIP  
> auth challenge in the logs so there is no regex to differentiate  
> between legit an non legit traffic.
> 
> Spencer
> 
> On Feb 20, 2011, at 10:39 PM, Ken Rice wrote:
> 
> > Fail2Ban ... This is block an IP with too many failed attempts from
> > something like SipVicious pretty quickly
> >
> >
> > On 2/20/11 11:07 PM, "Spencer Thomason" <spencer at 5ninesolutions.com>  
> > wrote:
> >
> >> Hi,
> >> We run hosted Freeswitch instances in VMs with the internal profile  
> >> on
> >> port 5060 connecting to clients mostly behind NAT and then the
> >> external profile connecting to our proxies only.  Protecting the
> >> external profile its straightforward.. we only allow traffic to/from
> >> our proxies at the firewall level.  But protecting the internal
> >> profile seems to be a bit more difficult because the UACs could be
> >> theoretically anywhere on the network.
> >>
> >> I'm currently using Fail2Ban to prevent brute force registration and
> >> INVITEs on auth failures, e.g.:
> >> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\)
> >> on sofia profile \'\w+\' for \[.*\] from ip <HOST>
> >>             \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\)
> >> on sofia profile \'\w+\' for \[.*\] from ip <HOST>
> >>
> >> My question is, since its part of a normal SIP dialog to challenge  
> >> the
> >> INVITE, is there any way to prevent a possible DoS from just sheer
> >> volume of incoming INVITEs on an Internet facing server
> >> automatically.  I.e., If you block the logged challenge, you'd block
> >> all legitimate INVITEs and registrations.  Since its UDP traffic I
> >> couldn't come up with a way to do it automatically at the iptables
> >> level. i.e. number of concurrent connections.  Is there some option  
> >> to
> >> just not respond if a client is sending a number of requests over a
> >> certain threshold?  It might not stop them from sending the traffic
> >> but pretty soon they'd get the idea that it wasn't going to go
> >> anywhere.  My concern is say there are 50 Freeswitch instances on a
> >> box (albeit 8 core, 32GB ram, 8 15K raid 10 storage) and someone
> >> starts sending thousands of rouge INVITEs to every VM on a physical
> >> box that the CPU load from just challenging the incoming INVITEs  
> >> would
> >> create a DoS.  We the logs regularly to try to catch people doing  
> >> this
> >> sort of thing and drop them at a router upstream of the core network,
> >> but I'd like to have it happen without human intervention.  Have I
> >> completely over thought this and am missing something obvious?
> >>
> >> Thanks,
> >> Spencer
> >>
> >>
> >> _______________________________________________
> >> FreeSWITCH-users mailing list
> >> FreeSWITCH-users at lists.freeswitch.org
> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> >> http://www.freeswitch.org
> >
> >
> >
> > _______________________________________________
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
> 
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici at ccs.covici.com

More information about the FreeSWITCH-users mailing list