[Freeswitch-users] No failure messages in log during SIPVicious attack

Avi Marcus avi at avimarcus.net
Wed Mar 20 11:24:56 MSK 2013


log auth failures only logs when there's been an actual failure:
reg -> 401 (send password again with md5 hashed password -> reg failure.

It sounds like this attack was just "reg" so it didn't get triggered.

That's why there's a separate fail2ban profile for floods --
http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack

There's another module that makes a dedicated log for fail2ban but I don't
think it's been tested much:
http://wiki.freeswitch.org/wiki/Mod_fail2ban


-Avi Marcus
BestFone


On Wed, Mar 20, 2013 at 6:21 AM, Phil Quesinberry <
philq at qsystemsengineering.com> wrote:

> **
>
> We were the recipients of another script-kiddie SIPVicious attack this
> evening, but Fail2ban didn’t catch it because there was no failure
> message in the log, just repeated registration messages.  I added the
> following to sofia.conf.xml and reloaded but there was no change in
> behavior:
>
> <param name="log-auth-failures" value="true"/>
>
> Interestingly, if I tell the Aastra on my desk to register with the wrong
> password, there is a failure message logged.
>
> I’m not sure why this attack doesn’t generate a failure message but I
> added a rule under filter.d to ban IPs with too many registration
> attempts in a certain period of time.  Of course I’d prefer to ban only onfailures.
>
> The user agent string would seem to indicate that this is an older
> version of SIPVicious but I was unable to crash it with svcrash.
>
> Here is an excerpt of the traffic:
>
> 2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> 2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> 2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> freeswitch at internal> sofia profile internal siptrace on
>
> Enabled sip debugging on internal
>
> 2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> recv 333 bytes from udp/[70.38.71.75]:5115 at 01:48:24.223941:
>
>    ------------------------------------------------------------------------
>
>    REGISTER sip:xx.xx.xx.xx SIP/2.0
>
>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport
>
>    Content-Length: 0
>
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>
>    Accept: application/sdp
>
>    User-Agent: friendly-scanner
>
>    To: "4623" <sip:4623 at xx.xx.xx.xx>
>
>    Contact: sip:123 at 1.1.1.1
>
>    CSeq: 1 REGISTER
>
>    Call-ID: 1757394
>
>    Max-Forwards: 70
>
>
>
>    ------------------------------------------------------------------------
>
> 2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> send 621 bytes to udp/[70.38.71.75]:5115 at 01:48:24.225084:
>
>    ------------------------------------------------------------------------
>
>    SIP/2.0 401 Unauthorized
>
>    Via: SIP/2.0/UDP 127.0.0.1:5115
> ;branch=z9hG4bK-1676888071;rport=5115;received=70.38.71.75
>
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>
>    To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=tNtgHUjZSej3F
>
>    Call-ID: 1757394
>
>    CSeq: 1 REGISTER
>
>    User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
>
>    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
> REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
>
>    Supported: timer, precondition, path, replaces
>
>    WWW-Authenticate: Digest realm="xx.xx.xx.xx",
> nonce="c34ebd55-e53c-4590-b7e8-423e21fc26b9", algorithm=MD5, qop="auth"
>
>    Content-Length: 0
>
>
>
>    ------------------------------------------------------------------------
>
> recv 336 bytes from udp/[70.38.71.75]:5115 at 01:48:24.234418:
>
>    ------------------------------------------------------------------------
>
>    REGISTER sip:xx.xx.xx.xx SIP/2.0
>
>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-2042428707;rport
>
>    Content-Length: 0
>
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>
>    Accept: application/sdp
>
>    User-Agent: friendly-scanner
>
>    To: "4623" <sip:4623 at xx.xx.xx.xx>
>
>    Contact: sip:123 at 1.1.1.1
>
>    CSeq: 1 REGISTER
>
>    Call-ID: 2727970266
>
>    Max-Forwards: 70
>
>
>
>    ------------------------------------------------------------------------
>
> 2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
> 70.38.71.75
>
> send 624 bytes to udp/[70.38.71.75]:5115 at 01:48:24.235851:
>
>    ------------------------------------------------------------------------
>
>    SIP/2.0 401 Unauthorized
>
>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-2042428707
> ;rport=5115;received=70.38.71.75
>
>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>
>    To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=UyK9jp32pQ8NB
>
>    Call-ID: 2727970266
>
>    CSeq: 1 REGISTER
>
>    User-Agent: FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
>
>    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
> REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
>
>    Supported: timer, precondition, path, replaces
>
>    WWW-Authenticate: Digest realm="xx.xx.xx.xx",
> nonce="6343aee4-d0a4-4357-b34d-11a4658b954c", algorithm=MD5, qop="auth"
>
>    Content-Length: 0
>
> *******Phil Quesinberry*
>
> Q Systems Engineering, Inc.
>
> Electronic Controls and Embedded Systems Development
>
> (410) 969-8002
>
> *****http://www.qsystemsengineering.com*<http://www.qsystemsengineering.com>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130320/16c2ca9f/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list