[Freeswitch-users] What kind of attack is this?

Ken Rice krice at freeswitch.org
Mon Oct 14 18:54:28 MSD 2013


This is sipvicious, its a brute force scanner... See
http://wiki.freeswitch.org/wiki/Fail2ban on how to setup Fail2ban with
FreeSWITCH to defeat this attack


On 10/14/13 9:28 AM, "Mimiko" <vbvbrj at gmail.com> wrote:

> Hello.
> 
> recently I see ddos on one interface and FS module callcenter is working
> irregularly. tcpdump shows this:
> 
> 17:17:42.410306 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 364)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
> E..l.. at .0...2.%
> MY.".....XW.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3646224729;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 360911671
> Max-Forwards: 70
> 
> 
> 17:17:42.415504 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y,.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-1538287390;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3912185912
> Max-Forwards: 70
> 
> 
> 17:17:42.420997 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y7.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3729326239;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 2188845586
> Max-Forwards: 70
> 
> 
> 17:17:42.425886 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y3.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2208974380;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 4149361432
> Max-Forwards: 70
> 
> 
> 17:17:42.431126 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 364)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
> E..l.. at .0...2.%
> MY.".....X..REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-725880732;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 1466795680
> Max-Forwards: 70
> 
> 
> 17:17:42.436476 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 365)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
> E..m.. at .0...2.%
> MY.".....Y6.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3259665948;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 3328716097
> Max-Forwards: 70
> 
> 
> 17:17:42.441541 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
> UDP (17), length 364)
>      50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
> E..l.. at .0...2.%
> MY.".....XT.REGISTER sip:A.B.C.D SIP/2.0
> Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2487219966;rport
> Content-Length: 0
> From: "6796" <sip:6796 at A.B.C.D>
> Accept: application/sdp
> User-Agent: friendly-scanner
> To: "6796" <sip:6796 at A.B.C.D>
> Contact: sip:123 at 1.1.1.1
> CSeq: 1 REGISTER
> Call-ID: 684380132
> Max-Forwards: 70
> 
> 
> In iptables I have this:
>   1637  597K DROP       all  --  *      *       50.30.37.10
> 0.0.0.0/0
>      0     0 DROP       all  --  *      *       62.75.212.215
> 0.0.0.0/0
> 
> So packets form that IP are not dropped. How is that? Does FS has a bag?

-- 
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch





Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list