Re: [OpenSIPS-Users] Register attack!

Wed, 10 Nov 2010 00:25:56 -0800 

Hi Flavio,
of course you can skip from pike check different known traffic sources (like diallers, gateways, etc) and also you can do pike check only for certain messages (like auth failed because of no user) 

Regards,
Bogdan

Flavio Goncalves wrote:

Hi Saul,

I did like your solution. My only concern about Pike was to block
legitimate traffic. A SIP dialer can easily get to the pike threshold,
but doing pike_check_req() just for register, options and bye requests
seems to avoid this.

The only "but" is,  the attack can also be done using INVITE and using
Pike with INVITE can make you drop legitimate traffic, my initial
concern. I think, that detecting authentication requests with wrong
passwords or inexistent users is still the most generic solution. Just
an opinion.

Best regards,

Flavio E. Goncalves
CEO - V.Office
OpenSIPS Bootcamp (New Jersey, NY  Nov. 15-19)




2010/11/3 Saúl Ibarra Corretgé <s...@ag-projects.com>:

  

On 11/03/2010 04:00 PM, Hung Nguyen wrote:

    

Hi all, thanks for reply.

I have tested with pike module. It is very simple.

------
modparam("pike", "sampling_time_unit", 3)
modparam("pike", "reqs_density_per_unit", 20)

if (method = 'REGISTER | OPTION | BYE') {
       if (!pike_check_req()) {
           #TODO: do anything if you want
           drop();
           exit;
       }
}
------

I tested with sipvicious, about 5 second pike detect flood =>  drop
packet or send 200 OK for register (svcrash.py will stop).
You can be blook flooding with any method.


      

Take into account that with pike module you are dropping the packets at
the application level, but they still enter the system. As the pike
module also generates syslog messages, you may want to use them in
combination with some other tool in order to block the traffic with
iptables, for example.


Regards,

--
Saúl Ibarra Corretgé
AG Projects

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


    


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


  



--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
15 - 19 November 2010, Edison, New Jersey, USA
www.voice-system.ro


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
























					Reply via email to