First of all, This is an attack from sipvicious. It is an *attack*. It will be very high rate (cps) and you do *not* want to use anything that consumes resources to attempt to block it.
First recommendation is to use iptables. In addition, you *should* put a check in your config for friendly-scanner and drop() the packet. Do not reply with a sip code. You want to be invisible to the attacker. If you reply with a sip code, they'll just scan you attempting to find a request combination that will return a usable result. 1. Do whatever you can to not use CPU resources to block this 2. Don't look like a SIP server to source IPs you do not recognize I guarantee, if you look like a SIP server, you will get brutally attacked from unsolicited sources. Read up on the fail2ban docs for asterisk. They have some good ideas in there on how to perform intrusion detection and how to automatically add offending traffic to fail2ban. You can do something similar in OpenSIPs. I would be very curious to hear about other people's experiences using the Pike module to block this type of traffic. For what it's worth, I've seen attack traffic high enough in bandwidth to saturate a pretty beefy internet connection and I've even seen it crash routers. If you can avoid them finding you in the first place, that would be a much better option. -Brett On Mon, Oct 8, 2012 at 7:53 AM, Engineer voip <forvo...@gmail.com> wrote: > Hi, > I'm trying to use pike module and i'm using the script above, but when i > execute this command " opensipsctl fifo pike_list" > i don't get any address blocked > My opensips config is: > > loadmodule "pike.so" > modparam("pike", "sampling_time_unit", 10) > modparam("pike", "reqs_density_per_unit", 30) > modparam("pike", "remove_latency", 120) > modparam("pike", "check_route","pike") # enable automatic checking > modparam("pike", "pike_log_level",1) > > route[pike] > { > if (src_ip==x.x.x.x ||src_ip==gw_ip) # Trusted IP > xlog("L_INFO", "in pike route "); > drop(); > } > > have you an idea please toresolve that? > > 2012/10/8 SamyGo <govoi...@gmail.com> > >> Hi, >> Relax it says its Friendly !! >> >> But still if you want to block it you've many options i.e in opensips.cfg >> start put a condition $ua =~ "friendly-scanner". If matched return >> stateless some error. >> Other option is to use pike module. >> Another option is use fail2ban for opensips logs. >> More sophisticated options involve firewalls with IPS and IDS modules. >> >> I hope it was helpful. >> >> BR >> Sammy >> On Oct 8, 2012 2:33 PM, "Engineer voip" <forvo...@gmail.com> wrote: >> >>> Hi All, >>> I receveid several packets of registration from a "friendly-scanner" >>> on my opensips server >>> how can i do to block that please?? >>> >>> -- >>> >>> Best Regards. >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opensips.org >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >>> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > > -- > > Best Regards. > > > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users