[SR-Users] Detecting calls with missing ACK (Lazy SIP scanners)

Charles Chance charles.chance at sipcentric.com
Tue Apr 5 14:56:17 CEST 2016 

Hi,

You should probably check out TM docs - specifically failure route (
http://kamailio.org/docs/modules/stable/modules/tm.html#tm.f.t_on_failure)
and t_is_expired (
http://kamailio.org/docs/modules/stable/modules/tm.html#tm.f.t_is_expired).

>From there you can do what you like.

Cheers,

Charles
On 5 Apr 2016 1:22 p.m., "Marrold" <kamailio at marrold.co.uk> wrote:

> I am interested in 'fingerprinting' various SIP scanner attacks and using
> them to intelligently block attacks, rather than just blindly black listing
> any SIP message to a honey pot.
>
> Additionally I think it would be wise to detect these missing ACKs and/or
> incomplete transactions from a legitimately mis-configured or
> malfunctioning end point, to help protect the core network from needless
> re-transmissions.
>
> Having checked the Asterisk logs, this is what I'm looking to block if a
> certain threshold is exceeded-
>
> [2016-04-05 13:10:52] WARNING[2010] chan_sip.c: Retransmission timeout
> reached on transmission eff430b8c1b6d21c2058049f41a7ec57 for seqno 1
> (Critical Response)
>
> Thanks
>
>
> On Tue, Apr 5, 2016 at 1:14 PM, Daniel Tryba <d.tryba at pocos.nl> wrote:
>
>> On Tue, Apr 05, 2016 at 12:09:29AM +0100, Marrold wrote:
>> > I have been running a couple of Asterisk honey pots to get a better
>> > understanding of the tools and methods potential hackers are using to
>> > exploit SIP servers.
>> >
>> > I have observed many attacks from the 'sipcli' user agent that don't
>> send
>> > ACKs.
>> [...]
>> > Please could anyone point me in the right direction to detect these non
>> > completed calls with a missing ACK in Kamailio? I am unsure on the
>> > terminology I should be using to search the online documentation.
>>
>> Why do you care? The attacker doesn't care about receiving SIP messages,
>> they are only interested in initiating a call to a target, if the target
>> gets dialled you will be abused, by either an other source with a fully
>> function SIP stack or just something that might be spoofed.
>>
>> What I do is blacklist addresses that send any SIP messages to my
>> honeypots, might be dangerous since with UDP anything can be spoofed (so
>> better make sure you have a whitelist and there is no connection between
>> the honeypots and your client facing SIP platform)
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>

-- 
Sipcentric Ltd. Company registered in England & Wales no. 7365592. Registered 
office: Faraday Wharf, Innovation Birmingham Campus, Holt Street, 
Birmingham Science Park, Birmingham B7 4BB.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20160405/29159ea3/attachment.html>

More information about the sr-users mailing list