[SR-Users] SIP Scanning Attacks Experiences

Daniel-Constantin Mierla miconda at gmail.com
Fri Nov 19 11:39:32 CET 2010



On 11/18/10 2:57 PM, marius zbihlei wrote:
> On 11/18/2010 03:59 PM, Fred Posner wrote:
>> On Nov 18, 2010, at 8:49 AM, marius zbihlei wrote:
>>
>>> On 11/18/2010 01:58 PM, Daniel-Constantin Mierla wrote:
>>>> Hello,
>>>>
>>>> during the testing period of Kamailio 3.1.0, while running it at
>>>> voipuser.org, I had the chance to watch live and analyze a SIP 
>>>> scanning
>>>> attack. Yesterday I noticed another one by looking at Siremis 2.0
>>>> charts, therefore I wrote an article with some hints about what you 
>>>> can
>>>> use to protect your SIP services within Kamailio configuration file.
>>>>
>>>> You can read it at:
>>>>     * http://asipto.com/u/i
>>>>
>>>> Hope is going to be useful for many of you!
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>>
>>> Hello Daniel,
>>>
>>> Nice read, thanks for sharing. This "friendly-scanner" messages has 
>>> really gotten out of hand lately. FYI, they are generated by a 
>>> python suite called SIPVicious (ha ha nice 
>>> pun)(http://code.google.com/p/sipvicious/) . More on this 
>>> http://blog.sipvicious.org/. The suite was developed (really really 
>>> extended the sense of the word "developed" here - as the scripts are 
>>> really basic) by a security company who trails over Europe giving 
>>> lectures on Voip security. :)
>>>
>>> Cheers,
>>> Marius
>> SIP Vicious does have a kill command... I've tried launching that on 
>> detection with mixed results. Triggering it from a hash count might 
>> prove better.
>>
>>
> The kill command (actually a bug that caused a Python exception to be 
> raised) was fixed in a later commit :)

:-) I wouldn't expect to last too long.

I wonder what would happen to send back stateless the flood to source IP 
and port.

In kamailio config would be:

$du = "sip:" + $si + ":" + $sp;
forward();

It won't cause use of many resources, maybe bandwidth.

Would I get a challenge :-) ?

Daniel

-- 
Daniel-Constantin Mierla
Kamailio (OpenSER) Advanced Trainings
Nov 22-25, 2010, Berlin, Germany
Jan 24-26, 2011, Irvine, CA, USA
http://www.asipto.com




More information about the sr-users mailing list