[Freeswitch-users] No failure messages in log during SIPVicious attack

Phil Quesinberry philq at qsystemsengineering.com
Wed Mar 20 07:21:34 MSK 2013 

We were the recipients of another script-kiddie SIPVicious attack this
evening, but Fail2ban didn't catch it because there was no failure message
in the log, just repeated registration messages.  I added the following to
sofia.conf.xml and reloaded but there was no change in behavior:
<param name="log-auth-failures" value="true"/>

Interestingly, if I tell the Aastra on my desk to register with the wrong
password, there is a failure message logged.

I'm not sure why this attack doesn't generate a failure message but I added
a rule under filter.d to ban IPs with too many registration attempts in a
certain period of time.  Of course I'd prefer to ban only on failures.

The user agent string would seem to indicate that this is an older version
of SIPVicious but I was unable to crash it with svcrash.

Here is an excerpt of the traffic:
2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
freeswitch at internal> sofia profile internal siptrace on
Enabled sip debugging on internal
2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
recv 333 bytes from udp/[70.38.71.75]:5115 at 01:48:24.223941:
   ------------------------------------------------------------------------
   REGISTER sip:xx.xx.xx.xx SIP/2.0
   Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport
   Content-Length: 0
   From: "4623" <sip:4623 at xx.xx.xx.xx>
   Accept: application/sdp
   User-Agent: friendly-scanner
   To: "4623" <sip:4623 at xx.xx.xx.xx>
   Contact: sip:123 at 1.1.1.1
   CSeq: 1 REGISTER
   Call-ID: 1757394
   Max-Forwards: 70
 
   ------------------------------------------------------------------------
2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
send 621 bytes to udp/[70.38.71.75]:5115 at 01:48:24.225084:
   ------------------------------------------------------------------------
   SIP/2.0 401 Unauthorized
   Via: SIP/2.0/UDP
127.0.0.1:5115;branch=z9hG4bK-1676888071;rport=5115;received=70.38.71.75
   From: "4623" <sip:4623 at xx.xx.xx.xx>
   To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=tNtgHUjZSej3F
   Call-ID: 1757394
   CSeq: 1 REGISTER
   User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
   Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
   Supported: timer, precondition, path, replaces
   WWW-Authenticate: Digest realm="xx.xx.xx.xx",
nonce="c34ebd55-e53c-4590-b7e8-423e21fc26b9", algorithm=MD5, qop="auth"
   Content-Length: 0
 
   ------------------------------------------------------------------------
recv 336 bytes from udp/[70.38.71.75]:5115 at 01:48:24.234418:
   ------------------------------------------------------------------------
   REGISTER sip:xx.xx.xx.xx SIP/2.0
   Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-2042428707;rport
   Content-Length: 0
   From: "4623" <sip:4623 at xx.xx.xx.xx>
   Accept: application/sdp
   User-Agent: friendly-scanner
   To: "4623" <sip:4623 at xx.xx.xx.xx>
   Contact: sip:123 at 1.1.1.1
   CSeq: 1 REGISTER
   Call-ID: 2727970266
   Max-Forwards: 70
 
   ------------------------------------------------------------------------
2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
70.38.71.75
send 624 bytes to udp/[70.38.71.75]:5115 at 01:48:24.235851:
   ------------------------------------------------------------------------
   SIP/2.0 401 Unauthorized
   Via: SIP/2.0/UDP
127.0.0.1:5115;branch=z9hG4bK-2042428707;rport=5115;received=70.38.71.75
   From: "4623" <sip:4623 at xx.xx.xx.xx>
   To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=UyK9jp32pQ8NB
   Call-ID: 2727970266
   CSeq: 1 REGISTER
   User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
   Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
   Supported: timer, precondition, path, replaces
   WWW-Authenticate: Digest realm="xx.xx.xx.xx",
nonce="6343aee4-d0a4-4357-b34d-11a4658b954c", algorithm=MD5, qop="auth"
   Content-Length: 0


Phil Quesinberry
Q Systems Engineering, Inc.
Electronic Controls and Embedded Systems Development
(410) 969-8002
http://www.qsystemsengineering.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130320/3202766f/attachment.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list