Community discussions

MikroTik App
  4. RouterOS
  5. General

SIP Attack?

Post Reply
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

SIP Attack?

Sun Feb 27, 2011 10:19 pm

This situation is happening quite often and I really have no idea how dangerous it can be. Anyone knows what is it, how to detect it and how to fight against it?

Image
Top
 
Wesley
newbie
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: SIP Attack?

Mon Feb 28, 2011 9:46 am

Hi,

i'm guessing the x.x.48.x range is your IP range?

If it is sip coming into your network, just block it at your gateway/Firewall.

If you have SIP servers in your network, and you need to have sip open for them, look at Fail2ban, its a program for linux that monitors ports & if there is hacking it automatically adds a filter rule to IP tables.
Top
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: SIP Attack?

Mon Feb 28, 2011 1:09 pm

Yes, it's a public ip range on main routers and this is coming from outside. But, if I block 5060 and 5061 ports, how will it affect VOIP?
Top
 
JwTPN

Re: SIP Attack?

Mon Feb 28, 2011 10:32 pm

I see a LOT of SIP scanning activity now days on public IP ranges.

One trick we do is pickup any IPs trying to connect to things they shouldnt (like core routers) on port 5060 or 5061 and add them to a banned list for a minimun of 12 hours.
If you do this on your internet gateway its a good way to stop some of this "rubbish traffic"

We even leave an IP or two in our customer ranges as "Honeypot IPs" to do the same thing.

This can of course be applied for people scanning for SSH etc as well..

Just a side note, as for dangerous it can be very dangerous! we have thousands of dollars lost when hackers compromised our voip system and abused it...

Cheers
Top
 
Wesley
newbie
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: SIP Attack?

Tue Mar 01, 2011 7:12 am

Do you have people registering to your voip servers from outside your network? If you do, then you have 2 options, have a safe list of IP's that may access your voip servers, block everything else. Or if you have clients that have dynamic IP's, then i recommend Fail2Ban for your servers.
Top
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: SIP Attack?

Tue Mar 01, 2011 11:31 am

With VOIP I mean skype and msn. I hope we didn't misunderstood. There are no dedicated servers for VOIP or anything similar on a network if you mean that. So, If ports 5060 and 5061 gets locked, that won't affect skype or msn and simple port blocking would do a trick? :)
@Wesley
There are no dynamic IP's and there are just routers.
Top
 
Wesley
newbie
Posts: 48
Joined: Mon Dec 08, 2008 5:00 pm

Re: SIP Attack?

Tue Mar 01, 2011 11:46 am

To my knowledge Skype and MSN don't use port 5060 or 5061, so they should be fine if you block those ports.
Top
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: SIP Attack?

Tue Mar 01, 2011 6:11 pm

what you get if you Disable
ip firewall service ports sip
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: SIP Attack?

Tue Mar 01, 2011 6:23 pm

That just disables the SIP inspection helper, and doesn't block SIP as such.
Top
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:
Contact maximan

Re: SIP Attack?

Tue Mar 01, 2011 8:53 pm

this can help you

http://mikrotikexpert.com/sip_attack

Project:

http://infiltrated.net/

M.
Top
 
User avatar
mves
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jan 11, 2011 8:15 pm
Location: Serbia

Re: SIP Attack?

Tue Mar 01, 2011 9:31 pm

Thank you all for help...
Added udp 5060-5061 port block on existing virus chain and there are packet drop. There are no more sip listings and skype works. So far, so good :)
But, it's not functional solution. Is there any known way to make something similar detectable for udp connections? Maybe a script that will count is there connection attempt from one incoming ip to a multiple targets on network and to be applicable on ROS?

:EDIT
@maximan
Nice, but I can't watch network 24/7 and wait will there any new ip will emerge :(
I need an universal solution for all of this.
Top
 
DjSam
just joined
Posts: 14
Joined: Mon Mar 07, 2011 8:46 pm

Re: SIP Attack?

Mon Apr 08, 2013 4:33 pm

Can you please post the rules used?
That would be great

I see a LOT of SIP scanning activity now days on public IP ranges.

One trick we do is pickup any IPs trying to connect to things they shouldnt (like core routers) on port 5060 or 5061 and add them to a banned list for a minimun of 12 hours.
If you do this on your internet gateway its a good way to stop some of this "rubbish traffic"

We even leave an IP or two in our customer ranges as "Honeypot IPs" to do the same thing.

This can of course be applied for people scanning for SSH etc as well..

Just a side note, as for dangerous it can be very dangerous! we have thousands of dollars lost when hackers compromised our voip system and abused it...

Cheers
Top
 
nashon
just joined
Posts: 2
Joined: Sat Dec 17, 2016 10:12 am

Re: SIP Attack?

Sat Dec 17, 2016 11:00 am

Can you please post the rules used?
I have spent couple of days, having studied a subject and other branches of a forum, haven't found the ready solution, have as a result made itself thus.
Rules for blocking of SIP brute force activity.
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Drop brute forcers" in-interface=ether1-gateway src-address-list=bf_blacklist
add action=drop chain=forward comment="Drop brute forcers - fw" in-interface=ether1-gateway src-address-list=bf_blacklist

add action=add-dst-to-address-list address-list=bf_blacklist address-list-timeout=15m chain=forward comment="BF detect 6 - sip - fw - add to block" content="SIP/2.0 401 Unauthorized" \
    dst-address-list=bf_sip_stage5 in-interface=bridge-local log-prefix="BLOCK SIP FW BF" protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage5 address-list-timeout=1m chain=forward comment="BF detect 5 - sip - fw" content="SIP/2.0 401 Unauthorized" \
    dst-address-list=bf_sip_stage4 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage4 address-list-timeout=1m chain=forward comment="BF detect 4 - sip - fw" content="SIP/2.0 401 Unauthorized" \
    dst-address-list=bf_sip_stage3 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage3 address-list-timeout=1m chain=forward comment="BF detect 3 - sip - fw" content="SIP/2.0 401 Unauthorized" \
    dst-address-list=bf_sip_stage2 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage2 address-list-timeout=1m chain=forward comment="BF detect 2 - sip - fw" content="SIP/2.0 401 Unauthorized" \
    dst-address-list=bf_sip_stage1 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage1 address-list-timeout=1m chain=forward comment="BF detect 1 - sip - fw" content="SIP/2.0 401 Unauthorized" \
    dst-address-list=!sip-auth in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
    
add action=add-dst-to-address-list address-list=bf_blacklist address-list-timeout=15m chain=forward comment="BF detect 6 - sip - fw2 - add to block" content="SIP/2.0 404 Not Found" \
    dst-address-list=bf_sip_stage5 in-interface=bridge-local log-prefix="BLOCK SIP FW BF" protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage5 address-list-timeout=1m chain=forward comment="BF detect 5 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
    bf_sip_stage4 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage4 address-list-timeout=1m chain=forward comment="BF detect 4 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
    bf_sip_stage3 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage3 address-list-timeout=1m chain=forward comment="BF detect 3 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
    bf_sip_stage2 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage2 address-list-timeout=1m chain=forward comment="BF detect 2 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
    bf_sip_stage1 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage1 address-list-timeout=1m chain=forward comment="BF detect 1 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
    !sip-auth in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
ether1-gateway - Internet interface
192.168.1.234 - SIP server in local net
"sip-auth" - address-list - IP of external provider SIP for the local SIP server


At the moment type of blocking following (after reboot)
17-12-2016 11-30-19.png
17-12-2016 11-36-52.png
17-12-2016 11-56-03.png
You do not have the required permissions to view the files attached to this post.
Top
Post Reply
  4. RouterOS
  5. General