[SR-Users] SIP Attack
Ricardo Martinez
rmartinez at redvoiss.net
Tue Apr 17 17:02:20 CEST 2012
Hello.
I was wondering if someone could help me here. From time to time I stat to
receive from the internet this SIP message :
U 190.22.140.170:51316 -> 64.76.154.110:5060
SIP/2.0 400 BadRequest.
Via: .
From: .
To: .
Call-ID: .
CSeq: .
User-Agent: AddPac SIP Gateway.
Content-Length: 0.
.
At burst rate of 124 pps (packets per second), this meesage is entering to
Kamailio routine and generating a lot of ERROR logs lie these :
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR: <core>
[msg_translator.c:1943]: ERROR: build_res_buf_from_sip_req: al
as, parse_headers failed
Apr 1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: WARNING: sanity
[sanity.c:254]: sanity_check(): check_required_headers(): fa
iled to send 400 via sl reply
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR: <core>
[msg_translator.c:1943]: ERROR: build_res_buf_from_sip_req: al
as, parse_headers failed
Apr 1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: WARNING: sanity
[sanity.c:254]: sanity_check(): check_required_headers(): fa
iled to send 400 via sl reply
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR: <core>
[parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO: <core>
[parser/msg_parser.c:353]: ERROR: bad header field [To: <sip:Re
gister=>5]
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR: <core>
[msg_translator.c:1943]: ERROR: build_res_buf_from_sip_req: al
as, parse_headers failed
Apr 1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: WARNING: sanity
[sanity.c:254]: sanity_check(): check_required_headers(): fa
iled to send 400 via sl reply
The only way that I have now for blocking this packet to hit the Kamailio
server is via iptables :
iptables -A INPUT -s 190.22.140.170 -p udp --dport 5060 --jump REJECT
Is there a better way to do this?!
Thanks in advance,
* *
*Ricardo Martinez.-*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120417/25b2194c/attachment.htm>
More information about the sr-users
mailing list