[Freeswitch-users] No failure messages in log during SIPVicious attack

Ken Rice krice at freeswitch.org
Wed Mar 20 08:30:19 MSK 2013 

Theres rules on the wiki for iptables for banning friendly scanner
completely


On 3/19/13 10:21 PM, "Phil Quesinberry" <philq at qsystemsengineering.com>
wrote:

> We were the recipients of another script-kiddie SIPVicious attack this
> evening, but Fail2ban didn¹t catch it because there was no failure message in
> the log, just repeated registration messages.  I added the following to
> sofia.conf.xml and reloaded but there was no change in behavior:
> 
> <param name="log-auth-failures" value="true"/>
> 
> Interestingly, if I tell the Aastra on my desk to register with the wrong
> password, there is a failure message logged.
> 
> I¹m not sure why this attack doesn¹t generate a failure message but I added a
> rule under filter.d to ban IPs with too many registration attempts in a
> certain period of time.  Of course I¹d prefer to ban only on failures.
> 
> The user agent string would seem to indicate that this is an older version of
> SIPVicious but I was unable to crash it with svcrash.
> 
> Here is an excerpt of the traffic:
> 
> 2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> 2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> 2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> freeswitch at internal> sofia profile internal siptrace on
> 
> Enabled sip debugging on internal
> 
> 2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> recv 333 bytes from udp/[70.38.71.75]:5115 at 01:48:24.223941:
> 
>    ------------------------------------------------------------------------
> 
>    REGISTER sip:xx.xx.xx.xx SIP/2.0
> 
>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport
> 
>    Content-Length: 0
> 
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
> 
>    Accept: application/sdp
> 
>    User-Agent: friendly-scanner
> 
>    To: "4623" <sip:4623 at xx.xx.xx.xx>
> 
>    Contact: sip:123 at 1.1.1.1
> 
>    CSeq: 1 REGISTER
> 
>    Call-ID: 1757394
> 
>    Max-Forwards: 70
> 
>  
> 
>    ------------------------------------------------------------------------
> 
> 2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> send 621 bytes to udp/[70.38.71.75]:5115 at 01:48:24.225084:
> 
>    ------------------------------------------------------------------------
> 
>    SIP/2.0 401 Unauthorized
> 
>    Via: SIP/2.0/UDP
> 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport=5115;received=70.38.71.75
> 
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
> 
>    To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=tNtgHUjZSej3F
> 
>    Call-ID: 1757394
> 
>    CSeq: 1 REGISTER
> 
>    User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
> 
>    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER,
> REFER, NOTIFY, PUBLISH, SUBSCRIBE
> 
>    Supported: timer, precondition, path, replaces
> 
>    WWW-Authenticate: Digest realm="xx.xx.xx.xx",
> nonce="c34ebd55-e53c-4590-b7e8-423e21fc26b9", algorithm=MD5, qop="auth"
> 
>    Content-Length: 0
> 
>  
> 
>    ------------------------------------------------------------------------
> 
> recv 336 bytes from udp/[70.38.71.75]:5115 at 01:48:24.234418:
> 
>    ------------------------------------------------------------------------
> 
>    REGISTER sip:xx.xx.xx.xx SIP/2.0
> 
>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-2042428707;rport
> 
>    Content-Length: 0
> 
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
> 
>    Accept: application/sdp
> 
>    User-Agent: friendly-scanner
> 
>    To: "4623" <sip:4623 at xx.xx.xx.xx>
> 
>    Contact: sip:123 at 1.1.1.1
> 
>    CSeq: 1 REGISTER
> 
>    Call-ID: 2727970266
> 
>    Max-Forwards: 70
> 
>  
> 
>    ------------------------------------------------------------------------
> 
> 2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
> 
> send 624 bytes to udp/[70.38.71.75]:5115 at 01:48:24.235851:
> 
>    ------------------------------------------------------------------------
> 
>    SIP/2.0 401 Unauthorized
> 
>    Via: SIP/2.0/UDP
> 127.0.0.1:5115;branch=z9hG4bK-2042428707;rport=5115;received=70.38.71.75
> 
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
> 
>    To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=UyK9jp32pQ8NB
> 
>    Call-ID: 2727970266
> 
>    CSeq: 1 REGISTER
> 
>    User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
> 
>    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER,
> REFER, NOTIFY, PUBLISH, SUBSCRIBE
> 
>    Supported: timer, precondition, path, replaces
> 
>    WWW-Authenticate: Digest realm="xx.xx.xx.xx",
> nonce="6343aee4-d0a4-4357-b34d-11a4658b954c", algorithm=MD5, qop="auth"
> 
>    Content-Length: 0
> 
> Phil Quesinberry
> 
> Q Systems Engineering, Inc.
> 
> Electronic Controls and Embedded Systems Development
> 
> (410) 969-8002
> 
> http://www.qsystemsengineering.com <http://www.qsystemsengineering.com>
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130319/ecaa3eab/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list