[Freeswitch-dev] Bruteforce hack
Oleg Khovayko
khovayko at gmail.com
Wed Mar 30 04:44:55 MSD 2011
Hi,
Couple months ago I have repotred strange behaviour of FreeSWITCH: 100%
CPU usage,
and leak memory.
Today I catch this situation, and viewed logs.
found something like ping-pong with SIP-port attack:
FS log:
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.938408 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.957793 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.981472 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:42.999635 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.028769 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.048709 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.064379 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.080898 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.099860 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.118179 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.133097 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.149791 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.172722 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.187540 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.203845 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.219207 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.233950 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.250684 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.267531 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
2011-03-29 20:12:43.283970 [WARNING] sofia_reg.c:1246 SIP auth challenge
(REGISTER) on sofia profile 'internal' for [4 at 173.79.240.220] from ip
118.175.22.75
TCPDUMP output.
20:19:11.863940 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:19:11.914740 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 330
20:19:11.917521 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:19:11.931544 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 330
20:19:11.934351 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:19:11.946799 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:19:11.949370 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 330
20:19:11.954355 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:19:11.957996 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
20:19:11.958972 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 604
20:19:11.959998 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
20:19:11.961019 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
20:19:11.961814 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 329
20:19:11.962213 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
20:19:11.963141 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
20:19:11.964106 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 604
20:19:11.965059 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 604
20:19:11.966066 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 604
20:19:11.967018 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 604
20:19:11.967965 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
20:19:11.968930 IP deskpro.khovayko.com.sip > 118.175.22.75.5239: SIP,
length: 605
Also, I see, attack continues, when I stopped FreeSWITCH:
20:21:46.045995 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:21:46.046088 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.051280 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:21:46.051378 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.059059 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:21:46.059154 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.061089 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 330
20:21:46.061187 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.065982 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:21:46.066076 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.073622 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 330
20:21:46.073719 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.076260 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:21:46.076352 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.083160 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 331
20:21:46.083256 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
20:21:46.090586 IP 118.175.22.75.5239 > deskpro.khovayko.com.sip: SIP,
length: 330
20:21:46.090684 IP deskpro.khovayko.com > 118.175.22.75: ICMP
deskpro.khovayko.com udp port sip unreachable, length 36
So, you can see, this is not wrong FS-activity, this is just attack,
attempt to hack in by method "brute force and ignorance".
I think, easiest way to protect FS - to dynamically ban IP, from which
comes attack.
Or, maybe more smooth policy - to count attempts of unsuccessful login
from some IP, and after threshold - set timewait for this IP.
See following sample of pseudocode for demo this idea:
char bantable[1<<12]; // 4K hashtable for ban counter.
int ban_index = hash(user_ip_address) & (sizeof(bantable) - 1);
if(user_login_success())
bantable[ban_index] = 0; // IP is valid
else {
if(bantable[ban_index] < 0)
sleep(1);
else
bantable[ban_index]++;
}
Idea following - if real user comes in, and will be unlucky (hash as
same as attacker), he just get 1s delay.
But, for hacker, it will decrease attack dataflow, and slowing him...
More information about the FreeSWITCH-dev
mailing list