Page 1 of 1
SIP Attack?
Posted: Sun Feb 27, 2011 10:19 pm
by mves
This situation is happening quite often and I really have no idea how dangerous it can be. Anyone knows what is it, how to detect it and how to fight against it?
Re: SIP Attack?
Posted: Mon Feb 28, 2011 9:46 am
by Wesley
Hi,
i'm guessing the x.x.48.x range is your IP range?
If it is sip coming into your network, just block it at your gateway/Firewall.
If you have SIP servers in your network, and you need to have sip open for them, look at Fail2ban, its a program for linux that monitors ports & if there is hacking it automatically adds a filter rule to IP tables.
Re: SIP Attack?
Posted: Mon Feb 28, 2011 1:09 pm
by mves
Yes, it's a public ip range on main routers and this is coming from outside. But, if I block 5060 and 5061 ports, how will it affect VOIP?
Re: SIP Attack?
Posted: Mon Feb 28, 2011 10:32 pm
by JwTPN
I see a LOT of SIP scanning activity now days on public IP ranges.
One trick we do is pickup any IPs trying to connect to things they shouldnt (like core routers) on port 5060 or 5061 and add them to a banned list for a minimun of 12 hours.
If you do this on your internet gateway its a good way to stop some of this "rubbish traffic"
We even leave an IP or two in our customer ranges as "Honeypot IPs" to do the same thing.
This can of course be applied for people scanning for SSH etc as well..
Just a side note, as for dangerous it can be very dangerous! we have thousands of dollars lost when hackers compromised our voip system and abused it...
Cheers
Re: SIP Attack?
Posted: Tue Mar 01, 2011 7:12 am
by Wesley
Do you have people registering to your voip servers from outside your network? If you do, then you have 2 options, have a safe list of IP's that may access your voip servers, block everything else. Or if you have clients that have dynamic IP's, then i recommend Fail2Ban for your servers.
Re: SIP Attack?
Posted: Tue Mar 01, 2011 11:31 am
by mves
With VOIP I mean skype and msn. I hope we didn't misunderstood. There are no dedicated servers for VOIP or anything similar on a network if you mean that. So, If ports 5060 and 5061 gets locked, that won't affect skype or msn and simple port blocking would do a trick?
@Wesley
There are no dynamic IP's and there are just routers.
Re: SIP Attack?
Posted: Tue Mar 01, 2011 11:46 am
by Wesley
To my knowledge Skype and MSN don't use port 5060 or 5061, so they should be fine if you block those ports.
Re: SIP Attack?
Posted: Tue Mar 01, 2011 6:11 pm
by doush
what you get if you Disable
ip firewall service ports sip
Re: SIP Attack?
Posted: Tue Mar 01, 2011 6:23 pm
by fewi
That just disables the SIP inspection helper, and doesn't block SIP as such.
Re: SIP Attack?
Posted: Tue Mar 01, 2011 8:53 pm
by maximan
Re: SIP Attack?
Posted: Tue Mar 01, 2011 9:31 pm
by mves
Thank you all for help...
Added udp 5060-5061 port block on existing virus chain and there are packet drop. There are no more sip listings and skype works. So far, so good
But, it's not functional solution. Is there any known way to make something similar detectable for udp connections? Maybe a script that will count is there connection attempt from one incoming ip to a multiple targets on network and to be applicable on ROS?
:EDIT
@maximan
Nice, but I can't watch network 24/7 and wait will there any new ip will emerge
I need an universal solution for all of this.
Re: SIP Attack?
Posted: Mon Apr 08, 2013 4:33 pm
by DjSam
Can you please post the rules used?
That would be great
I see a LOT of SIP scanning activity now days on public IP ranges.
One trick we do is pickup any IPs trying to connect to things they shouldnt (like core routers) on port 5060 or 5061 and add them to a banned list for a minimun of 12 hours.
If you do this on your internet gateway its a good way to stop some of this "rubbish traffic"
We even leave an IP or two in our customer ranges as "Honeypot IPs" to do the same thing.
This can of course be applied for people scanning for SSH etc as well..
Just a side note, as for dangerous it can be very dangerous! we have thousands of dollars lost when hackers compromised our voip system and abused it...
Cheers
Re: SIP Attack?
Posted: Sat Dec 17, 2016 11:00 am
by nashon
Can you please post the rules used?
I have spent couple of days, having studied a subject and other branches of a forum, haven't found the ready solution, have as a result made itself thus.
Rules for blocking of SIP brute force activity.
/ip firewall filter
add action=drop chain=input comment="Drop brute forcers" in-interface=ether1-gateway src-address-list=bf_blacklist
add action=drop chain=forward comment="Drop brute forcers - fw" in-interface=ether1-gateway src-address-list=bf_blacklist
add action=add-dst-to-address-list address-list=bf_blacklist address-list-timeout=15m chain=forward comment="BF detect 6 - sip - fw - add to block" content="SIP/2.0 401 Unauthorized" \
dst-address-list=bf_sip_stage5 in-interface=bridge-local log-prefix="BLOCK SIP FW BF" protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage5 address-list-timeout=1m chain=forward comment="BF detect 5 - sip - fw" content="SIP/2.0 401 Unauthorized" \
dst-address-list=bf_sip_stage4 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage4 address-list-timeout=1m chain=forward comment="BF detect 4 - sip - fw" content="SIP/2.0 401 Unauthorized" \
dst-address-list=bf_sip_stage3 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage3 address-list-timeout=1m chain=forward comment="BF detect 3 - sip - fw" content="SIP/2.0 401 Unauthorized" \
dst-address-list=bf_sip_stage2 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage2 address-list-timeout=1m chain=forward comment="BF detect 2 - sip - fw" content="SIP/2.0 401 Unauthorized" \
dst-address-list=bf_sip_stage1 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage1 address-list-timeout=1m chain=forward comment="BF detect 1 - sip - fw" content="SIP/2.0 401 Unauthorized" \
dst-address-list=!sip-auth in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_blacklist address-list-timeout=15m chain=forward comment="BF detect 6 - sip - fw2 - add to block" content="SIP/2.0 404 Not Found" \
dst-address-list=bf_sip_stage5 in-interface=bridge-local log-prefix="BLOCK SIP FW BF" protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage5 address-list-timeout=1m chain=forward comment="BF detect 5 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
bf_sip_stage4 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage4 address-list-timeout=1m chain=forward comment="BF detect 4 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
bf_sip_stage3 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage3 address-list-timeout=1m chain=forward comment="BF detect 3 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
bf_sip_stage2 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage2 address-list-timeout=1m chain=forward comment="BF detect 2 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
bf_sip_stage1 in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
add action=add-dst-to-address-list address-list=bf_sip_stage1 address-list-timeout=1m chain=forward comment="BF detect 1 - sip - fw2" content="SIP/2.0 404 Not Found" dst-address-list=\
!sip-auth in-interface=bridge-local protocol=udp src-address=192.168.1.234 src-port=5060-5069
ether1-gateway - Internet interface
192.168.1.234 - SIP server in local net
"sip-auth" - address-list - IP of external provider SIP for the local SIP server
At the moment type of blocking following (after reboot)
17-12-2016 11-30-19.png
17-12-2016 11-36-52.png
17-12-2016 11-56-03.png