[SR-Users] SIP Attack

Daniel-Constantin Mierla miconda at gmail.com
Thu Apr 19 12:50:15 CEST 2012 

Hello,

I see the message gets to the config file, hitting sanity module. What 
you can do is to use fail2ban for automatic interaction with iptables -- 
you can inspire from this tutorial:

   * http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#fail2ban

You will just have a different condition, based on sanity and eventual 
some regexp to detect this specific case, to print the log message that 
is searched by fail2ban.

Cheers,
Daniel


On 4/17/12 5:21 PM, Reda Aouad wrote:
> Hi,
>
> Do you have any client that is sending a corrupt request to the 
> "AddPac SIP Gateway" at 190.22.140.170, so that this gateway is 
> replying "400 bad request" ? Maybe you could resolve this problem at 
> the source..
>
> If it's not the case, you can send an email to the owner of the IP 
> address.
> A quick lookup on the IP address on www.network-tools.com 
> <http://www.network-tools.com> gives you a hint on the owner.
>
> Reda
>
>
>
> On Tue, Apr 17, 2012 at 17:19, Vineet Menon <mvineetmenon at gmail.com 
> <mailto:mvineetmenon at gmail.com>> wrote:
>
>     IMHO preventing the packet to reach kamailio is better (via
>     iptables) than doing something in kamailio itself....
>
>     Regards,
>
>     Vineet Menon
>
>
>
>
>     On 17 April 2012 20:32, Ricardo Martinez <rmartinez at redvoiss.net
>     <mailto:rmartinez at redvoiss.net>> wrote:
>
>         Hello.
>
>         I was wondering if someone could help me here.  From time to
>         time I stat to receive from the internet this SIP message :
>
>         U 190.22.140.170:51316 <http://190.22.140.170:51316> ->
>         64.76.154.110:5060 <http://64.76.154.110:5060>
>
>         SIP/2.0 400 BadRequest.
>
>         Via: .
>
>         From: .
>
>         To: .
>
>         Call-ID: .
>
>         CSeq: .
>
>         User-Agent: AddPac SIP Gateway.
>
>         Content-Length: 0.
>
>         .
>
>         At burst rate of 124 pps (packets per second), this meesage is
>         entering to Kamailio routine and generating a lot of ERROR
>         logs lie these :
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
>         <core> [msg_translator.c:1943]: ERROR:
>         build_res_buf_from_sip_req: al
>
>         as, parse_headers failed
>
>         Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]:
>         WARNING: sanity [sanity.c:254]: sanity_check():
>         check_required_headers(): fa
>
>         iled to send 400 via sl reply
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
>         <core> [msg_translator.c:1943]: ERROR:
>         build_res_buf_from_sip_req: al
>
>         as, parse_headers failed
>
>         Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]:
>         WARNING: sanity [sanity.c:254]: sanity_check():
>         check_required_headers(): fa
>
>         iled to send 400 via sl reply
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
>         <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
>         header
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO:
>         <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
>         <sip:Re
>
>         gister=>5]
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
>         <core> [msg_translator.c:1943]: ERROR:
>         build_res_buf_from_sip_req: al
>
>         as, parse_headers failed
>
>         Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]:
>         WARNING: sanity [sanity.c:254]: sanity_check():
>         check_required_headers(): fa
>
>         iled to send 400 via sl reply
>
>         The only way that I have now for blocking this packet to hit
>         the Kamailio server is via iptables :
>
>         iptables -A INPUT -s 190.22.140.170 -p udp --dport 5060 --jump
>         REJECT
>
>         Is there a better way to do this?!
>
>         Thanks in advance,
>
>         **
>
>         *Ricardo Martinez.-*
>
>
>         _______________________________________________
>         SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>         mailing list
>         sr-users at lists.sip-router.org
>         <mailto:sr-users at lists.sip-router.org>
>         http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>     _______________________________________________
>     SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>     list
>     sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
>     http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
http://www.asipto.com/index.php/kamailio-advanced-training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120419/425dc7d7/attachment-0001.htm>

More information about the sr-users mailing list