[Freeswitch-users] What kind of attack is this?
Jeff Leung
jleung at v10networks.ca
Mon Oct 14 19:00:03 MSD 2013
You can also use iptables to drop udp packets with the string friendly-scanner destined to port 5060
Ken Rice <krice at freeswitch.org> wrote:
This is sipvicious, its a brute force scanner... See
http://wiki.freeswitch.org/wiki/Fail2ban on how to setup Fail2ban with
FreeSWITCH to defeat this attack
On 10/14/13 9:28 AM, "Mimiko" <vbvbrj at gmail.com> wrote:
> Hello.
>
> recently I see ddos on one interface and FS module callcenter is working
> irregularly. tcpdump shows this:
>
> 17:17:42.410306 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 364)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
> E..l.. at .0...2.%
> MY.".....XW.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3646224729;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 360911671
> Max-Forwards: 70
>
>
> 17:17:42.415504 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y,.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-1538287390;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3912185912
> Max-Forwards: 70
>
>
> 17:17:42.420997 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y7.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3729326239;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 2188845586
> Max-Forwards: 70
>
>
> 17:17:42.425886 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y3.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2208974380;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 4149361432
> Max-Forwards: 70
>
>
> 17:17:42.431126 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 364)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
> E..l.. at .0...2.%
> MY.".....X..REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-725880732;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 1466795680
> Max-Forwards: 70
>
>
> 17:17:42.436476 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y6.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3259665948;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3328716097
> Max-Forwards: 70
>
>
> 17:17:42.441541 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 364)
> 50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
> E..l.. at .0...2.%
> MY.".....XT.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2487219966;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 684380132
> Max-Forwards: 70
>
>
> In iptables I have this:
> 1637 597K DROP all -- * * 50.30.37.10
> 0.0.0.0/0
> 0 0 DROP all -- * * 62.75.212.215
> 0.0.0.0/0
>
> So packets form that IP are not dropped. How is that? Does FS has a bag?
--
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list