Re: Denial-of-Service attack on UDP-port 5060 (SIP/VoIP)

["SISINT BA" <INFO@SISINT.COM.AR>]

dear friends here again :

Sorry about misstyping.   the script name  well typed is

 FAIL2BAN .

 it's so easy to configure  and use ,  just a few steps to put it to work.

need to define  a rule to detect  Fails in the  log file  ( ie   choose what
log inspect  asterisk.log o, or syslog, or messages. and so on  )  for
looking  some reg expressions inside them  ( like " wrong password " , .. an
son on )   and to define   an action to take when an attack was detected (
ie add  iptables rule ) and Voilá!,  that is it!!.  That's all!!!.  you will
find examples there with the script

take a look here
http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk
 this may guide quickly  to setup on asterisk


This script  will  work fine with other services too,     vsftp, httpd,
SSH,  or any user log that you got
you can define how many fails will be assumed like attack and  how many time
leave EACH  host banned ,
also can  send a mail to any address using the mta  to  NOTIFY EVENTS ,
included start and stop  the defense ,
this   so helpfull to larm when  rebooting,,,,,, power failrudes ,,,,


Believe me , You will find this script so  helpfull.
i really hope that this may help you too.

Join together  to keep bad people banned!!!!    :-)

Think about this :
This schema  keep in sight to detetct intruders a neturalize your action
quickly , and no matters  to dive into the nature of the networks. because
of for the thieves  it's more easy to steal any  people that don't have any
"alarm"  that fight against  guys that were alerted and armed !!! and they
just  will leave us alone when they had seen that were dsicovered. .


Good luck, ....and ....... "That the force be with You!" .......or better
....... with "Us"

marcos





----- Original Message -----
From: "Secure-SIP-Server" <info@secure-sip-server.net>
To: <netfilter@vger.kernel.org>
Sent: Sunday, November 28, 2010 6:31 PM
Subject: Re: Denial-of-Service attack on UDP-port 5060 (SIP/VoIP)


> @ Pascal Hambourg
>
> > > I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port
> > > 5060,
> > > getting more then 70 REGISTER requests per second since yesterday. All
> > > comming from the Japanese IP 59.146.75.111:5088.
> > [...]
> > > How can this requests (UDP) be from a ESTABLISHED connection??? They
> > > passed
> > > the firewall in the first two examples and therefore they must be
> > > ESTABLISHED!?!
> >
> > UDP being connectionless by nature, the notion of "UDP connection" is
> > rather loose. Therefore a continuous flow of packets with the same ports
> > and addresses can be considered as one sigle connection even if they are
> > actually unrelated requests.
>
> Yes, looks like. I discovered that this only happens if I add the FW-rule
> later then the first connection of the attacker to my SIP-server happened.
> When I install the rule to DROP this requests behind
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> I must reboot the server before it works. If I don't want to reboot I must
> put the DROP rule before this rule.
>
> > > Is there a way to tell iptables to lock only a specific IP:PORT for a
> > > while
> > > if this IP transmits more then 50 requests per second? If so, how?
> >
> > Check the "recent" match. Be sure you read carefully the man page about
> > its default limits.
>
> Thanks for this!!! But ...
> The author of "recent" writes:
> "If the '--update' rule is before this check for ! NEW,INVALID packets
then
> ESTABLISHED connection or those in the process of becoming ESTABLISHED
could
> be disrupted by a malicious person who can modify his/her source address."
> So in his opinion my
> iptables -A INPUT -p udp --dport 5060 -m recent --update --seconds
> 1 --hitcount 20 -j DROP
> must come behind
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> and this leads me to the problem from above. This ACCEPT rule lets pass
all
> packages, because the first 19 packets in the first second are accepted
and
> therefore the FW considers the continuous flow of packets with the same
port
> and address as a single connection - and let them pass here.
>
> Is there a way to tell the FW that this continuous flow of packets is not
to
> be considered a ESTABLISHED connection?
>
>
> ----------
> @marcos
>
> > i had the same  trouble in the past , and beyond  the  rules for your FW
> > on
> > itself there  is " other consideration"  to get on mind  , all people
that
> > are trying to steal  Voip   deploy you "brute force attack"  first
trying
> > with  few packets,  then  if they were not blocked , the real attacks
> > begins
> > later .  because don't have any sense keep attack to a blocked server,
> > thay
> > are  bad no dummies . so  the speed with  you blocks  these tries are so
> > critical and will defines to your  intruder how  effective is the
defense
> > that you have.
> >
> > So will be so helpfull install some script that inspect your logs to
> > detect
> > the intrusion attack , i have very well result with   FAIL2BABN, [...]
>
> Thank you for this idea and your other considerations!!!
>
>
> Regards
>
> Detlef Pilzecker
> Weitlahnerstraße 8
> D - 83209 Prien am Chiemsee
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>