On Wed, Nov 3, 2010 at 12:23 PM, Flavio Goncalves fla...@voffice.com.brwrote:
Hi Saul,
I did like your solution. My only concern about Pike was to block
legitimate traffic. A SIP dialer can easily get to the pike threshold,
but doing pike_check_req() just for register, options and bye
Hi Flavio,
of course you can skip from pike check different known traffic sources
(like diallers, gateways, etc) and also you can do pike check only for
certain messages (like auth failed because of no user)
Regards,
Bogdan
Flavio Goncalves wrote:
Hi Saul,
I did like your solution. My
Hi Flavio,
On 11/03/2010 06:23 PM, Flavio Goncalves wrote:
Hi Saul,
I did like your solution. My only concern about Pike was to block
legitimate traffic. A SIP dialer can easily get to the pike threshold,
but doing pike_check_req() just for register, options and bye requests
seems to avoid
This could be improved by profiling the traffic per customer and pike it
accordingly.
Adrian
On Nov 3, 2010, at 6:23 PM, Flavio Goncalves wrote:
Hi Saul,
I did like your solution. My only concern about Pike was to block
legitimate traffic. A SIP dialer can easily get to the pike
Hi Saul,
I did like your solution. My only concern about Pike was to block
legitimate traffic. A SIP dialer can easily get to the pike threshold,
but doing pike_check_req() just for register, options and bye requests
seems to avoid this.
The only but is, the attack can also be done using INVITE
Hi!
I had some issues with fail2ban running on OpenSuSE (different
versions) when monitoring more than 1 log files. While tracking down
the problem I found other reports on the internet about the similar
problems. Eventually I found OSSEC from TrendMicro
(http://www.ossec.net/main/downloads/)
Saúl Ibarra Corretgé wrote:
On 11/03/2010 04:00 PM, Hung Nguyen wrote:
Hi all, thanks for reply.
I have tested with pike module. It is very simple.
--
modparam(pike, sampling_time_unit, 3)
modparam(pike, reqs_density_per_unit, 20)
if (method = 'REGISTER | OPTION | BYE') {
Hi Kennard,
The best way to detect is to use the return codes from the functions
www_authorize and proxy_authorize. You can monitor the number of
invalid authentications. I'm saving the number of invalid
authentications in a cache variable using cache_store() for each
specific IP (invalid_$si
Hi all, thanks for reply.
I have tested with pike module. It is very simple.
--
modparam(pike, sampling_time_unit, 3)
modparam(pike, reqs_density_per_unit, 20)
if (method = 'REGISTER | OPTION | BYE') {
if (!pike_check_req()) {
#TODO: do anything if you want
drop();
On 11/03/2010 04:00 PM, Hung Nguyen wrote:
Hi all, thanks for reply.
I have tested with pike module. It is very simple.
--
modparam(pike, sampling_time_unit, 3)
modparam(pike, reqs_density_per_unit, 20)
if (method = 'REGISTER | OPTION | BYE') {
if (!pike_check_req()) {
Hi every body!
I have a problem with attacker as following:
attack registrar
register -
register -
...
register -
Attacker send 200 registers/second so registrar server is error. This
is configuration for register method:
route[2] {
On 11/02/2010 08:26 AM, Hung Nguyen wrote:
Hi every body!
I have a problem with attacker as following:
attack registrar
register -
register -
...
register -
Attacker send 200 registers/second so registrar server is error. This
Hi,
Register attacks are now an epidemy. In most cases they are using the
friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
block is to check the user agent for the words friendly-scannerand
drop the packets (an attacker could easily change the user agent, but
most of them are
Thanks for reply,
It's OK. The best solution.
Best regards
On 11/3/10, Flavio Goncalves fla...@asteriskguide.com wrote:
Hi,
Register attacks are now an epidemy. In most cases they are using the
friendly-scanner (svcrack.py) from sipvicious.org. One easy way to
block is to check the user
Kennard,
I personally write a log entry each time i get a REGISTER failure. Then use
fail2ban on top of that log. Pike could probably also be used.
-Brett
On Nov 2, 2010, at 10:30 PM, Kennard White kennard_wh...@logitech.com
wrote:
Hi Flavio,
How did you originally detect these register
I had the same problem with register attacks, almost crashed my server coz
log files became too huge, a temporary solution is to change the port number
from 5060 to something else as it seems the register scanners attack sip
servers listening on the 5060 port. Adding fail2ban on top of this and
16 matches
Mail list logo
