[Freeswitch-users] What kind of attack is this?
Mimiko
vbvbrj at gmail.com
Wed Oct 16 23:40:14 MSD 2013
On 14.10.2013 21:05, Mimiko wrote:
> 35a84dc8-0a11-449a-9a81-aa0a6ad75ab6 2013-10-14 20:48:51.690475 [NOTICE]
> switch_channel.c:1034 New Channel sofia/internal_A.B.C.D/100 at A.B.C.D
> [35a84dc8-0a11-449a-9a81-aa0a6ad75ab6]
> 35a84dc8-0a11-449a-9a81-aa0a6ad75ab6 2013-10-14 20:48:51.690475 [DEBUG]
> switch_core_session.c:1010 Send signal
> sofia/internal_A.B.C.D/100 at A.B.C.D [BREAK]
> 35a84dc8-0a11-449a-9a81-aa0a6ad75ab6 2013-10-14 20:48:51.690475 [DEBUG]
> switch_core_session.c:1010 Send signal
> sofia/internal_A.B.C.D/100 at A.B.C.D [BREAK]
> 35a84dc8-0a11-449a-9a81-aa0a6ad75ab6 2013-10-14 20:48:51.690475 [DEBUG]
> switch_core_state_machine.c:418 (sofia/internal_A.B.C.D/100 at A.B.C.D)
> Running State Change CS_NEW
> 35a84dc8-0a11-449a-9a81-aa0a6ad75ab6 2013-10-14 20:48:51.690475 [DEBUG]
> switch_core_state_machine.c:436 (sofia/internal_A.B.C.D/100 at A.B.C.D)
> State NEW
> 35a84dc8-0a11-449a-9a81-aa0a6ad75ab6 2013-10-14 20:48:51.810383 [DEBUG]
> switch_core_session.c:1010 Send signal
> sofia/internal_A.B.C.D/100 at A.B.C.D [BREAK]
I did found that this logs were due to an attacker trying to hack the
system and setting bad invite packets with 19 mins interval. Its hard to
detect and block such attacks, event for Fail2ban, because the log does
not contain remote IP from which the packet came. It were great for FS
to log IP not only for authentication failures, but also for calls.
--
Mimiko desu.
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list