Contrary to advise and suggestions from many professionals in the
industry per Brute Force attacks, firewalls, log monitoring for brute
registrations, increased CPU usage due to brute force, my experience
shows that a "controlled form of anarchy, keeping things simple, appears
to be the best strategy.
Unlike rejecting and banning IPs, which still invokes bandwidth usage
and cpu usage, this is what I have done:
a) Have a separate context exclusively for unauthorized calls.
b) Allow all fake registrations to think they have registered (they no
longer pound with brute force if they think they got in)
c) Send ALL the calls for fake registrations (who think they logged
in) into a "SCREAMING MONKEYS" context.
My observation invoking these simple techniques has resulted into zero
dead locks on clients machines and production machines that get hammered
on a regular basis, running different versions of Asterisk.
Yes, ideally you would want to have an SBC but for those of you who do
not have the knowledge or resources for SBC, the above steps per our
experience has been rock solid stable. Our technical support requests
for all our installations across the globe, as gone done from few calls
per day, to zero calls in the last 30 days.
Technical:
a) Have a separate context exclusively for unauthorized calls.
I call this context "MONKEYS", you could choose "BUFFOONS" if you wanted.
b) Allow all fake registrations to think they have registered (they no
longer pound with brute force if they think they got in). That is do
the following:
For sip.conf file, edit "default" context which looks like "[default]"
to "[MONKEYS]" or "[BUFFOONS]".
context=MONKEYS
allowguest=yes
;authfailureevents=no (make sure this is commented)
alwaysauthreject = yes
c) Send ALL the calls for fake registrations (who think they logged
in) into a "SCREAMING MONKEYS" context.
That is modify the extensions file "extensions.conf" and insert the
following:
[MONKEYS]
exten => _X.,1,NoOp(Thugs, Monkeys and Buffons are attempting to
dial in)
exten => _X.,n,NoOp(======================================)
exten => _X.,n,NoOp(BUFFOONS IP ADDRESS: ${CHANNEL(recvip)}. This
actually shows you the IP address of the caller)
exten => _X.,n,NoOp(Buffoon tried to call: ${EXTEN}. This is for
your records what number he actually dialed)
exten => _X.,n,NoOp(======================================)
exten => _X.,n,Answer
exten => _X.,n,Playback(tt-monkeys)
exten => _X.,n,Wait(100)
exten => _X.,n,Hangup
FYI, all default asterisk distribution comes with a sound file which is
the sound of screaming monkeys... and that file is " tt-monkeys "
For those of you who do not have an SBC (as with close to 100% of our
clients), the above simple techniques has been superb. In a brute
force attack, using stress testing software such as SIPviscious or other
scripts, the objective of the idiot is to try to hack into your server
for the purpose of toll fraud. So in the above scenario - rather than
your server having to manage and block thousands and thousands of
registration attempts in seconds, or responding to a "Failed
authorization", which further provokes software like SIPViscious to do
more brute attempts, it "thinks" it has registered successfully, and
starts attempting calls to expensive destinations, eliminating another
attempt for 10K retries. In their attempt, all they hear is screaming
monkeys.
Leaving SBC's aside, would like to hear from others, what simple steps
you may have taken to rid these attacks.
No... FAIL2BAN does not help in a massive DDOS attack, even if you
have everything perfect.
Cheers!
Reza.
--
FOUNDER & SR. TELECOM ANALYST
VOIPERNETICS COMMUNICATIONS
TEL: 647-847-2287 x2016
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
