[Freeswitch-users] No failure messages in log during SIPVicious attack

Andrew Cassidy andrew at cassidywebservices.co.uk
Wed Mar 20 12:19:43 MSK 2013 

Not only is there fail2ban rules, a colleague is having great success with
snort for blocking sipvicious attacks.

On 20 March 2013 08:24, Avi Marcus <avi at avimarcus.net> wrote:

> log auth failures only logs when there's been an actual failure:
> reg -> 401 (send password again with md5 hashed password -> reg failure.
>
> It sounds like this attack was just "reg" so it didn't get triggered.
>
> That's why there's a separate fail2ban profile for floods --
> http://wiki.freeswitch.org/wiki/Fail2ban#SIP_DOS_Attack
>
> There's another module that makes a dedicated log for fail2ban but I don't
> think it's been tested much:
> http://wiki.freeswitch.org/wiki/Mod_fail2ban
>
>
> -Avi Marcus
> BestFone
>
>
> On Wed, Mar 20, 2013 at 6:21 AM, Phil Quesinberry <
> philq at qsystemsengineering.com> wrote:
>
>> **
>>
>> We were the recipients of another script-kiddie SIPVicious attack this
>> evening, but Fail2ban didn’t catch it because there was no failure
>> message in the log, just repeated registration messages.  I added the
>> following to sofia.conf.xml and reloaded but there was no change in
>> behavior:
>>
>> <param name="log-auth-failures" value="true"/>
>>
>> Interestingly, if I tell the Aastra on my desk to register with the
>> wrong password, there is a failure message logged.
>>
>> I’m not sure why this attack doesn’t generate a failure message but I
>> added a rule under filter.d to ban IPs with too many registration
>> attempts in a certain period of time.  Of course I’d prefer to ban only
>> on failures.
>>
>> The user agent string would seem to indicate that this is an older
>> version of SIPVicious but I was unable to crash it with svcrash.
>>
>> Here is an excerpt of the traffic:
>>
>> 2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> 2013-03-19 21:48:24.160919 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> 2013-03-19 21:48:24.181262 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> 2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> freeswitch at internal> sofia profile internal siptrace on
>>
>> Enabled sip debugging on internal
>>
>> 2013-03-19 21:48:24.201143 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> recv 333 bytes from udp/[70.38.71.75]:5115 at 01:48:24.223941:
>>
>>
>> ------------------------------------------------------------------------
>>
>>    REGISTER sip:xx.xx.xx.xx SIP/2.0
>>
>>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-1676888071;rport
>>
>>    Content-Length: 0
>>
>>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>>
>>    Accept: application/sdp
>>
>>    User-Agent: friendly-scanner
>>
>>    To: "4623" <sip:4623 at xx.xx.xx.xx>
>>
>>    Contact: sip:123 at 1.1.1.1
>>
>>    CSeq: 1 REGISTER
>>
>>    Call-ID: 1757394
>>
>>    Max-Forwards: 70
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> 2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> send 621 bytes to udp/[70.38.71.75]:5115 at 01:48:24.225084:
>>
>>
>> ------------------------------------------------------------------------
>>
>>    SIP/2.0 401 Unauthorized
>>
>>    Via: SIP/2.0/UDP 127.0.0.1:5115
>> ;branch=z9hG4bK-1676888071;rport=5115;received=70.38.71.75
>>
>>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>>
>>    To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=tNtgHUjZSej3F
>>
>>    Call-ID: 1757394
>>
>>    CSeq: 1 REGISTER
>>
>>    User-Agent:
>> FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
>>
>>    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
>> REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
>>
>>    Supported: timer, precondition, path, replaces
>>
>>    WWW-Authenticate: Digest realm="xx.xx.xx.xx",
>> nonce="c34ebd55-e53c-4590-b7e8-423e21fc26b9", algorithm=MD5, qop="auth"
>>
>>    Content-Length: 0
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> recv 336 bytes from udp/[70.38.71.75]:5115 at 01:48:24.234418:
>>
>>
>> ------------------------------------------------------------------------
>>
>>    REGISTER sip:xx.xx.xx.xx SIP/2.0
>>
>>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-2042428707;rport
>>
>>    Content-Length: 0
>>
>>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>>
>>    Accept: application/sdp
>>
>>    User-Agent: friendly-scanner
>>
>>    To: "4623" <sip:4623 at xx.xx.xx.xx>
>>
>>    Contact: sip:123 at 1.1.1.1
>>
>>    CSeq: 1 REGISTER
>>
>>    Call-ID: 2727970266
>>
>>    Max-Forwards: 70
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> 2013-03-19 21:48:24.220953 [WARNING] sofia_reg.c:1520 SIP auth challenge
>> (REGISTER) on sofia profile 'internal' for [4623 at xx.xx.xx.xx] from ip
>> 70.38.71.75
>>
>> send 624 bytes to udp/[70.38.71.75]:5115 at 01:48:24.235851:
>>
>>
>> ------------------------------------------------------------------------
>>
>>    SIP/2.0 401 Unauthorized
>>
>>    Via: SIP/2.0/UDP 127.0.0.1:5115;branch=z9hG4bK-2042428707
>> ;rport=5115;received=70.38.71.75
>>
>>    From: "4623" <sip:4623 at xx.xx.xx.xx>
>>
>>    To: "4623" <sip:4623 at xx.xx.xx.xx>;tag=UyK9jp32pQ8NB
>>
>>    Call-ID: 2727970266
>>
>>    CSeq: 1 REGISTER
>>
>>    User-Agent:
>> FreeSWITCH-mod_sofia/1.3.14b+git~20130301T214848Z~c35a41e4ca
>>
>>    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
>> REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
>>
>>    Supported: timer, precondition, path, replaces
>>
>>    WWW-Authenticate: Digest realm="xx.xx.xx.xx",
>> nonce="6343aee4-d0a4-4357-b34d-11a4658b954c", algorithm=MD5, qop="auth"
>>
>>    Content-Length: 0
>>
>> *******Phil Quesinberry*
>>
>> Q Systems Engineering, Inc.
>>
>> Electronic Controls and Embedded Systems Development
>>
>> (410) 969-8002
>>
>> *****http://www.qsystemsengineering.com*<http://www.qsystemsengineering.com>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>


-- 
*Andrew Cassidy BSc (Hons) MBCS SSCA*
Managing Director


*T <info at cassidywebservices.co.uk> *03300 100 960
*F<info at cassidywebservices.co.uk>
 *03300 100 961
*E <info at cassidywebservices.co.uk> *andrew at cassidywebservices.co.uk
*W <info at cassidywebservices.co.uk> *www.cassidywebservices.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130320/9cfbd186/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list