Advise: Read threads initiated by you thoroughly. Read: http://blog.sipvicious.org/ to know more about the tool we all face > every once a while. >
Regards, Qasim On Tue, Oct 9, 2012 at 2:27 PM, Engineer voip <forvo...@gmail.com> wrote: > Hi All, > thank you for your reply, Know i want to simulate an attacker to test if > my fail2ban and pike module works good. > someone has an idea to do that? > > 2012/10/9 SamyGo <govoi...@gmail.com> > >> Hi, >> >> Very nice suggestions by Brett. I remember there are regular thread like >> these on the mailing lists and people share a lot of experiences. AFAIR >> there was some service which contains the IP addresses of known attackers >> available for users. OP needs to do some searching in this regard to >> collect more ideas. >> >> * Nothing is _NOT_ CPU cycles free * >> >> I'm not sure about sip vicious but if I were to detect and hack a SIP >> server I'd first start by sending OPTIONS on its ports. Mostly that's where >> things kick off. Changing the user-agent field is nothing big, so question >> is how do you know a hacker is about to get angry !! >> >> I'd say it needs a time populated repository and a well crafted shell >> script to maintain the list of Hacker IPs captured in the past and use it >> across all the servers or devices. Let me explain the idea. >> >> * ii)* - For any incoming packets one needs to look-up the hacker's >> listing and detect if a known hacker or not. >> *i)* - Take fail2ban for example, or pike module , or iptables rate >> limit mechanism to initially detect a new born hacker trying to access your >> sip server (yes will take few minutes to finally conclude that a particular >> source IP is hacker) - Store that IP in your hacker's listing. >> *iii)* - Use an intelligent script to share the detected hacker's IP >> across all the other SIP servers and router devices/firewall to block the >> traffic at network layer. >> >> *Critical Exceptions:* >> Always ensure that the IP which is going to get blocked across the whole >> network perimeter is not your own server or within the same subnet as >> your's. It shouldn't be localhost as well.(Hint: IP spoofing) >> >> *Focus on Security rather Friendly-scanner:* >> * >> * >> One need to secure each and everything when it comes to security, just >> one layer security i.e fail2ban or iptables or pike module is never >> enough. Like Brett said you can drop packets once detected a "very friendly >> scanner", how about a customer who wants to toy with your service ! how >> about a massive DoS attack !! drop() won't help alone. iptables needs to be >> there to stop the packets from even reaching the SIP server app, then again >> why should the server's NIC be chocked up by that massive DoS ! your >> firewall or networking device should stop the packets from entering the >> network ! >> >> This is just not enough: How about a different unique new tool which >> sends malicious or malformed SIP packets to crash the server !! its just >> one packet but malformed -- all the above measures WILL fail !! Obviously >> needs to go one step ahead and use SNORT or anything like IDS+IPS to verify >> that the packet going through the network is not malformed. >> >> Thats pretty much it for now. There are things which I've forgotten to >> write at the moment OR might not even know which I expect some one else may >> like to add. >> >> Networks and Data Security is a huge field, and VoIP security alone has >> hundreds of book on the topic. >> >> *Interesting threads to read: * >> * >> * >> http://lists.opensips.org/pipermail/users/2010-November/015243.html >> http://lists.opensips.org/pipermail/users/2011-June/018271.html >> Read: http://blog.sipvicious.org/ to know more about the tool we all >> face every once a while. >> Fail2ban for openSIPS :: >> http://www.opensips.org/Resources/DocsTutFail2ban >> >> >> -- >> Best Regards >> Sammy >> >> >> >> >> >> >> >> >> On Mon, Oct 8, 2012 at 6:31 PM, Brett Nemeroff <br...@nemeroff.com>wrote: >> >>> First of all, >>> This is an attack from sipvicious. It is an *attack*. It will be very >>> high rate (cps) and you do *not* want to use anything that consumes >>> resources to attempt to block it. >>> >>> First recommendation is to use iptables. In addition, you *should* put a >>> check in your config for friendly-scanner and drop() the packet. Do not >>> reply with a sip code. You want to be invisible to the attacker. If you >>> reply with a sip code, they'll just scan you attempting to find a request >>> combination that will return a usable result. >>> >>> 1. Do whatever you can to not use CPU resources to block this >>> 2. Don't look like a SIP server to source IPs you do not recognize >>> >>> I guarantee, if you look like a SIP server, you will get brutally >>> attacked from unsolicited sources. >>> >>> Read up on the fail2ban docs for asterisk. They have some good ideas in >>> there on how to perform intrusion detection and how to automatically add >>> offending traffic to fail2ban. You can do something similar in OpenSIPs. >>> >>> I would be very curious to hear about other people's experiences using >>> the Pike module to block this type of traffic. For what it's worth, I've >>> seen attack traffic high enough in bandwidth to saturate a pretty beefy >>> internet connection and I've even seen it crash routers. If you can avoid >>> them finding you in the first place, that would be a much better option. >>> -Brett >>> >>> >>> On Mon, Oct 8, 2012 at 7:53 AM, Engineer voip <forvo...@gmail.com>wrote: >>> >>>> Hi, >>>> I'm trying to use pike module and i'm using the script above, but when >>>> i execute this command " opensipsctl fifo pike_list" >>>> i don't get any address blocked >>>> My opensips config is: >>>> >>>> loadmodule "pike.so" >>>> modparam("pike", "sampling_time_unit", 10) >>>> modparam("pike", "reqs_density_per_unit", 30) >>>> modparam("pike", "remove_latency", 120) >>>> modparam("pike", "check_route","pike") # enable automatic checking >>>> modparam("pike", "pike_log_level",1) >>>> >>>> route[pike] >>>> { >>>> if (src_ip==x.x.x.x ||src_ip==gw_ip) # Trusted IP >>>> xlog("L_INFO", "in pike route "); >>>> drop(); >>>> } >>>> >>>> have you an idea please toresolve that? >>>> >>>> 2012/10/8 SamyGo <govoi...@gmail.com> >>>> >>>>> Hi, >>>>> Relax it says its Friendly !! >>>>> >>>>> But still if you want to block it you've many options i.e in >>>>> opensips.cfg start put a condition $ua =~ "friendly-scanner". If matched >>>>> return stateless some error. >>>>> Other option is to use pike module. >>>>> Another option is use fail2ban for opensips logs. >>>>> More sophisticated options involve firewalls with IPS and IDS modules. >>>>> >>>>> I hope it was helpful. >>>>> >>>>> BR >>>>> Sammy >>>>> On Oct 8, 2012 2:33 PM, "Engineer voip" <forvo...@gmail.com> wrote: >>>>> >>>>>> Hi All, >>>>>> I receveid several packets of registration from a "friendly-scanner" on >>>>>> my opensips server >>>>>> how can i do to block that please?? >>>>>> >>>>>> -- >>>>>> >>>>>> Best Regards. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@lists.opensips.org >>>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@lists.opensips.org >>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Best Regards. >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users@lists.opensips.org >>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>> >>>> >>> >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opensips.org >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >>> >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > > -- > > Best Regards. > > > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
