Hi All,

Lately (almost everyday), I have seen SIP registration attempt on our Asterisk SIP servers. The following are asterisk message log.

Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9973"<sip:9973@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9975"<sip:9975@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9979"<sip:9979@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9980"<sip:9980@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9983"<sip:9983@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9984"<sip:9984@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9985"<sip:9985@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9986"<sip:9986@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9987"<sip:9987@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9988"<sip:9988@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9989"<sip:9989@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9990"<sip:9990@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9991"<sip:9991@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9992"<sip:9992@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9993"<sip:9993@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9994"<sip:9994@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9995"<sip:9995@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9996"<sip:9996@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9999"<sip:9999@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"10000"<sip:10000@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch

The rouge hacker are simply using scripts to attempt SIP account registration from 1-10000 and this blog down the asterisk trying to respond to a burst of hundreds of attempt in a seconds.

The filter #8 was in place to block attempt from sip_blacklist. Filter #9 attempt block any UDP packet destined for port 5060-5099 with a 1secs. burst of 25 attempt, by the destination address. The last filter #10 will add rogue hacker to the sip_blacklist. Please note that I intend to use the filter to block sip registration on all asterisk server behind the Mikrotik router. Did I screw up by using the INPUT and OUTPUT chain, as the Rule 8-10 does not work.

8 ;;; Drop SIP brute force registration
chain=input action=drop protocol=udp src-address-list=sip_blacklist dst-port=5060-5099

9 chain=output action=accept protocol=udp dst-port=5060-5099 dst-limit=1,25,dst-address/1m

10 chain=output action=add-dst-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099

I would very much appreciate if you could comment and point me to the right syntax to implement SIP registration hack attempt.

Thank you very much and Have a Nice day all

To block packets that go through the router, chain should be "forward".

I'm having the same problem. But cannot find a way to make UDP port 5060-5099 to be recognize by the filter rule.

4 ;;; Drop sip brute force registration
chain=forward action=drop protocol=udp
src-address-list=Detected VoIP Hack dst-port=5060-5099

5 chain=forward action=accept protocol=udp dst-port=5060-5099
dst-limit=1,25,dst-address/1m40s

6 chain=forward action=add-dst-to-address-list protocol=udp
src-address-list=!Inside-IPs address-list=Detected VoIP Hack
address-list-timeout=4w2d dst-port=5060-5099

Nothing seems to be filtered.

I'm having the same problem. But cannot find a way to make UDP port 5060-5099 to be recognize by the filter rule.

4 ;;; Drop sip brute force registration
chain=forward action=drop protocol=udp
src-address-list=Detected VoIP Hack dst-port=5060-5099

5 chain=forward action=accept protocol=udp dst-port=5060-5099
dst-limit=1,25,dst-address/1m40s

6 chain=forward action=add-dst-to-address-list protocol=udp
src-address-list=!Inside-IPs address-list=Detected VoIP Hack
address-list-timeout=4w2d dst-port=5060-5099

Nothing seems to be filtered.

Hi,

Per suggestion posted, I've updated the chain to "forward" and it seems to take the update.

8 ;;; Drop SIP brute force registration
chain=forward action=drop protocol=udp src-address-list=sip_blacklist dst-port=5060-5099

9 chain=forward action=accept protocol=udp dst-port=5060-5099 dst-limit=1,10,dst-address/1m

10 chain=forward action=add-dst-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099

You have mentioned "make UDP port 5060-5099 to be recognize by the filter rule", are you not able to update the rule or what seems to be your issue here ?

Thanks.

To block packets that go through the router, chain should be "forward".

Hi,

Will appreciate if you could comment on the 3 filter rules posted earlier, will this stop rouge scripts/server from attempting
to request for a SIP registration with the Asterisk server ?

Thanks.

I've changed my rules to indentify and route traffic UDP 5060-5099. But still nothing seems to be filtered. Bytes and packets counter are at 0. You can look at the picture attached.
4 ;;; Checking for VoIP protectin
chain=forward action=jump jump-target=Protect VoIP protocol=udp
dst-port=5060-5099

5 chain=Protect VoIP action=accept protocol=udp dst-port=5060-5099
dst-limit=1,25,dst-address/1m40s

6 chain=Protect VoIP action=add-dst-to-address-list protocol=udp
src-address-list=!Inside-IPs address-list=Detected VoIP Hack
address-list-timeout=4w2d dst-port=5060-5099

7 chain=Protect VoIP action=drop protocol=udp
src-address-list=Detected VoIP Hack dst-port=5060-5099

My 2nd rule seems to work somewhat, but it failed to capture the hacker's source IP address to the filter list.
Will anyone from Mikrotik care to offer any advise or suggestion on getting a working filter to block rouge SIP registration.

I will offer a PayPal cash bounty of USD100 for your effort if the submission is tested
and proven to filter and block rouge hacker's SIP registration attempt . You effort will
be rewarded, please PM me directly or post it here

Thank you.

I'll give 50$ trough Paypal either!

I can do it. Do you want to block failed registrations, or failed invites? They are not the same...

I can't tell you if it's to block failed registrations, or failed invites?

All I can tell is that I get several attemps in a short period of time. Look at the log below. Those attempts can be as high as 70 requests per seconds. All I want is to be able to trigger, tag hacker, drop and ban future attempts and hacker if the amount of request is higher than 50 or customizable threshold per second. You can see that they are all coming from the same IP. If you see a better way of doing it, feel free to tell.

[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"andrew"<sip:andrew@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"hello"<sip:hello@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"maggie"<sip:maggie@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"monday"<sip:monday@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"pascal"<sip:pascal@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"Smokey"<sip:Smokey@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"baseball"<sip:baseball@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"daniel"<sip:daniel@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"diamond"<sip:diamond@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"joshua"<sip:joshua@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"michelle"<sip:michelle@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"mike"<sip:mike@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"silver"<sip:silver@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"Friends"<sip:Friends@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"George"<sip:George@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"falcon"<sip:falcon@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"fuckyou"<sip:fuckyou@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"pepper"<sip:pepper@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found

I can do it. Do you want to block failed registrations, or failed invites? They are not the same...

The following would be the logic

. Check "SIP blocked" filter list, if src-add = IP found in list. Drop packet.
. If packet from same src- add > 20/50 per seconds burst for 5060 SIP registration (failed) or SIP invites (failed)
block src-address for X secs
. Add src-add to "SIP blocked" filter list.

Thanks.

No taker for the bounty ??? No one has a solution ???

This is a first stab, it is by no means complete. But we can expand on it to fit your needs. After running this for a weekend I see 8 IP addresses in my list. You need to whitelist your SIP server (sip-auth) just in case, as well as any clients that seem to have problems with this. You then use the forward chain to drop packets in the sip-not-auth address-list:

/ip firewall mangle
add action=add-dst-to-address-list address-list=sip-not-auth \
address-list-timeout=2d1h chain=forward comment=\
"SIP Not Authorized Checking" connection-bytes=0-2048 content=\
"SIP/2.0 401 Unauthorized" disabled=no dst-address-list=!sip-auth \
dst-limit=5,5,dst-address/30s in-interface=YOURWANPORT protocol=udp \
src-address=YOUR.PBX.SOURCE.ADDRESS src-port=5060-5069

If this isnt stable enough, I would suggest using a script on the linux box to parse the SIP log and use a port knock to Mikrotik to block them. If you want help doing it this way let me know.

Hi Changeip,

Thanks for your post, will appreciate if you could PM me with your contact.

sam at ChangeIP.com is my email

Read this :
http://www.sunshinenetworks.com.au/how- ... knock.html

It fixes your exact problem.

Cheers.

thats a good idea. if you know the clients who are registering and dont mind manually helping them get setup the first time that works well.

Adding this line "alwaysauthreject=yes" to sip.conf helped big time.

Hi guys

I know this is an old threat, but hopefully someone could help me out here.

I don't have a problem "catching" the SIP (UDP:5060) hackers, but I do have a problem rejecting them.

What I mean is this:
If I create a single filter rule with the hacker's IP as source, the counters goes ballistic, so I'm happy that any traffic from that IP will be "cought". But when trying Drop or Reject (with all its sub options), my external interface is still transmitting full blast (maxing out my outbound bandwidth).

I do understand that you don't have much control over traffic between your router and the Internet (your firewall only applies to traffic reaching the "inside" of your router), but surely there should be a way to make the hacker "give up" trying?

Eg:
2 chain=forward action=reject reject-with=icmp-network-unreachable src-address=188.0.0.0/8 in-interface=pppoe-out1

I redialed the PPPoE connection (to drop all established connections), but after a few seconds the hacker just comes back for more. I ended up creating a queue to limit that IP to 1bps up/down.

It's been a long day and I'm really tired, perhaps I'm missing the obvious, any help (even if you just shake me awake) would be extremely welcome!

Thanks a stack guys! G

This is a first stab, it is by no means complete. But we can expand on it to fit your needs. After running this for a weekend I see 8 IP addresses in my list. You need to whitelist your SIP server (sip-auth) just in case, as well as any clients that seem to have problems with this. You then use the forward chain to drop packets in the sip-not-auth address-list:

/ip firewall mangle
add action=add-dst-to-address-list address-list=sip-not-auth \
address-list-timeout=2d1h chain=forward comment=\
"SIP Not Authorized Checking" connection-bytes=0-2048 content=\
"SIP/2.0 401 Unauthorized" disabled=no dst-address-list=!sip-auth \
dst-limit=5,5,dst-address/30s in-interface=YOURWANPORT protocol=udp \
src-address=YOUR.PBX.SOURCE.ADDRESS src-port=5060-5069

If this isnt stable enough, I would suggest using a script on the linux box to parse the SIP log and use a port knock to Mikrotik to block them. If you want help doing it this way let me know.

I think the original solution is more efficient, as it is just looking for total connections per second instead of deep inspection. It also would block the new sip attack where an inbound call is placed as part of the scan, and any other types of anonymous 5060 traffic. But if it has no affect I will give this a try.

Argh, no wonder you all kept asking about this ruleset. I found one MAJOR error, but I am still not getting the results I want. The major error is that you should not be blocking dst but the src

10 chain=output action=add-src-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099

Either way, in psudo here is what I think we are trying to accomplish:

0. If address is in sip_blacklist BAN AND BURN IP COMPLETELY
1. If traffic is to port 5060-5099 and source IP is in sip-allow; accept
2. If traffic is to port 5060-5099 and connections/second under X; accept
3. If traffic is to port 5060-5099 and connections/second is over X; add source of traffic to sip_blacklist

I keep getting good ips added to the ban list even ones in the white list, so I have disabled rule 0 for now. Does the accept rule not skip subsequent rules?

Ok I changed the rules a bit and now I am not flagging safe addresses. But I am still flagging customers

Export Print

sip scanners still not getting listed in the black list:
ip firewall connections

Take a look at SecAst (http://www.telium.ca?secast). It watches for a variety of SIP attacks, can block based on geographic source of IP, watch for unusual calling patterns, etc. And best of all, it can talk to a MikroTik router to manage a list of blocked IP's.

It's Asterisk specific (but based on the error messages you posted you're running Asterisk)

---

EDIT: Note URL changed to www.telium.ca for this vendor.

Take a look at SecAst (http://www.generationd.com). It watches for a variety of SIP attacks, can block based on geographic source of IP, watch for unusual calling patterns, etc. And best of all, it can talk to a MikroTik router to manage a list of blocked IP's.

It's Asterisk specific (but based on the error messages you posted you're running Asterisk)

Thanks for this link but this thing is too expensive! Mostly, those who use asterisk are NOT willing to pay 5000 USD for it.

Best Regards.

We've installed SecAst on call center and healthcare Asterisk servers (large scale installations). If you're targetting home/small office then FREE is certainly the way to go...

We've installed SecAst on call center and healthcare Asterisk servers (large scale installations). If you're targetting home/small office then FREE is certainly the way to go...

According to their official data, free SecAst won't communicate with mikrotik.

I'm not sure if it would be possible to block these SIP messages using the router alone, even at layer 7.

Standard Registration is ->

REGISTER ->
<- 401 Unauthorized
REGISTER (With authentication) ->
<- 200 OK

INVITE ->
<- 401 Unauthorized
INVITE (With authentication) ->
<- 200 OK

401's are a normal part of the SIP dialogue.

I'm not sure if it would be possible to block these SIP messages using the router alone, even at layer 7.

The real danger is a customer with several SIP phones behind a single NAT. This would easily exceed the threshold

I would probably opt to use fail2ban on the Asterisk box itself.
If the Asterisk box has iptables installed, just firewall it right there.
If not, a "knock" packet would be easily done as well. - Just make fail2ban send a "strange" packet
of a certain size with a certain source - say UDP SrcAddr = 6.6.6.6 srcPort = 666 and Dst IP=(offender), Dst Port = 5060
Pad the packet to a recognizable size (666bytes? haha). Match these in the router and add dst-addr to ban list.

I'm not sure if it would be possible to block these SIP messages using the router alone, even at layer 7.

The real danger is a customer with several SIP phones behind a single NAT. This would easily exceed the threshold

I would probably opt to use fail2ban on the Asterisk box itself.
If the Asterisk box has iptables installed, just firewall it right there.
If not, a "knock" packet would be easily done as well. - Just make fail2ban send a "strange" packet
of a certain size with a certain source - say UDP SrcAddr = 6.6.6.6 srcPort = 666 and Dst IP=(offender), Dst Port = 5060
Pad the packet to a recognizable size (666bytes? haha). Match these in the router and add dst-addr to ban list.

I am trying to make fail2ban work with mikrotik by adding the problematic addresses to the list. If I succeed, I will make a post with a detailed description. I started from here http://wiki.mikrotik.com/wiki/Use_Mikro ... n_firewall but this will not work as it is described on the link... It needs modifications.

I am trying to make fail2ban work with mikrotik by adding the problematic addresses to the list. If I succeed, I will make a post with a detailed description. I started from here http://wiki.mikrotik.com/wiki/Use_Mikro ... n_firewall but this will not work as it is described on the link... It needs modifications.

That solution you linked to is for a no-password ssh session to log into the MT and executing commands.

You don't really need all of that - if you can make a bash script that sends an unusual packet from a packet generation utility, (e.g. sendip) then you're good to go. In my example, you could send a UDP packet with very specific values e.g.
src-IP = 7.7.7.7
src-port = 777
dst-IP = <guy-to-ban>
dst-port = 666

You should never receive such a packet from your ISP as the destination is not in your network, but if you want more security, you could make the contents of the packet have some sort of security phrase/hash to match against in the Mikrotik with the contents check in addtion to the stuff below. (Also a good idea if you're an ISP and have users behind this router able to send such packets maliciously)

Next you make a rule in forward chain that matches such packets, and adds dst-ip to the BANLIST
e.g.:
/ip firewall filter add chain=forward in-interface=<inward-facing interface> src-address=7.7.7.7 protocol=udp src-port=777 dst-port=666 dst-address-list=!UnBannable action=add-dst-to-address-list address-list=BANLIST address-list-timeout=2d

If you use the dst-address-list=!UnBannable criteria, then you can exempt addresses/networks from being banned by adding them to the UnBannable list.

Now you put two rules into the forward chain:
/ip firewall filter add chain=forward src-address-list=BANLIST action=drop
/ip firewall filter add chain=forward dst-address-list=BANLIST action=drop

Make sure the positioning of these rules in your forward chain makes sense.

All your base are belong to them
I gave up and l2tp every customer with VPBX and let the core SIP proxy run fail2ban