<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style></head><body lang="EN-ZA" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Just for everyone else: </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The link on </span><a href="http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack" target="_blank">http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack</a> pointing to <a href="http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/">http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/</a></p>
<p class="MsoNormal"> </p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Was very helpful and immediately stopped the attack. </span></p><p class="MsoNormal">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I believe if the 100 Trying is not sent, its unlikely that their attack would have persisted though, as their initial sniffing would have shown that we weren’t going to try authenticate them.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As Andreas points out, it should not reply with 100 Trying once it has exceeded the threshold.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal">
<b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Lorenzo Mangani [mailto:<a href="mailto:lorenzo.mangani@gmail.com">lorenzo.mangani@gmail.com</a>] <br>
<b>Sent:</b> 07 May 2012 10:01 PM<br><b>To:</b> Matthew Ogden<br><b>Cc:</b> Andreas Granig; <a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a><br><b>Subject:</b> Re: [Spce-user] autoban or fail2ban</span></p>
</div><p class="MsoNormal"> </p><p class="MsoNormal">Matthew,</p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Once the source is banned, the REGISTER requests are not forwarded internally to the database, so there are zero chances of brute forcing anything. The scanner might as well guess and never know; Anyhow, sometimes sending back a false 200 OK can help stop the flooding if it the "unfriendly" scanner is in stateless mode, wasting your bandwidth or cluttering your monitoring. They'll get a useless password and your attack should drop.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Best,</p></div><div><p class="MsoNormal"> </p></div><div><div><p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#777777">Lorenzo Mangani</span></p>
</div><div><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#777777"><a href="http://QXIP.NET">QXIP.NET</a></span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#777777"></span></p>
</div></div><div><p class="MsoNormal"> </p><div><p class="MsoNormal">On Mon, May 7, 2012 at 9:05 PM, Matthew Ogden <<a href="mailto:matthew@tenacit.net" target="_blank">matthew@tenacit.net</a>> wrote:</p><p class="MsoNormal">
Thanks, so if I understand this correctly then,<br><br>You have your defaults at 20 times per 2 seconds. But, at this point, pike<br>is not banning them from trying to connect, it is simply ignoring trying to<br>authenticate them, is that correct?<br>
<br>In other words, I will continue to see their traffic hitting my network<br>card, in and out, and entries in ngrep? But they are very unlikely to<br>succeed in brute forcing a password? (Or perhaps I have misunderstood this)<br>
<br>As so:<br>(Friendly scanner indeed!)<br><br>U 2012/05/07 20:02:08.715659 <a href="http://213.189.34.21:5341" target="_blank">213.189.34.21:5341</a> -> MY_SERVER_IP:5060<br>REGISTER <a href="sip:MY_SERVER_IP">sip:MY_SERVER_IP</a> SIP/2.0'<br>
Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-285169266;rport'<br>Content-Length: 0'<br>From: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>Accept: application/sdp'<br>
User-Agent: friendly-scanner'<br>To: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>Contact: <a href="mailto:sip%3A123@1.1.1.1">sip:123@1.1.1.1</a>'<br>CSeq: 1 REGISTER'<br>
Call-ID: 828443369'<br>Max-Forwards: 70'<br>'<br><br>#<br>U 2012/05/07 20:02:08.715727 MY_SERVER_IP:5060 -> <a href="http://213.189.34.21:5341" target="_blank">213.189.34.21:5341</a><br>SIP/2.0 100 Trying'<br>
Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-285169266;rport=5341'<br>From: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>To: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>
CSeq: 1 REGISTER'<br>Call-ID: 828443369'<br>Server: Sipwise NGCP LB 2.X'<br>Content-Length: 0'<br>'<br><br>#<br>U 2012/05/07 20:02:08.728398 <a href="http://213.189.34.21:5341" target="_blank">213.189.34.21:5341</a> -> MY_SERVER_IP:5060<br>
REGISTER <a href="sip:MY_SERVER_IP">sip:MY_SERVER_IP</a> SIP/2.0'<br>Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-1723630567;rport'<br>Content-Length: 0'<br>From: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>
Accept: application/sdp'<br>User-Agent: friendly-scanner'<br>To: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>Contact: <a href="mailto:sip%3A123@1.1.1.1">sip:123@1.1.1.1</a>'<br>
CSeq: 1 REGISTER'<br>Call-ID: <a href="tel:4175934776">4175934776</a>'<br>Max-Forwards: 70'<br>'<br><br>#<br>U 2012/05/07 20:02:08.728478 MY_SERVER_IP:5060 -> <a href="http://213.189.34.21:5341" target="_blank">213.189.34.21:5341</a><br>
SIP/2.0 100 Trying'<br>Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-1723630567;rport=5341'<br>From: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>To: "102" <<a href="sip:102@MY_SERVER_IP">sip:102@MY_SERVER_IP</a>>'<br>
CSeq: 1 REGISTER'<br>Call-ID: <a href="tel:4175934776">4175934776</a>'<br>Server: Sipwise NGCP LB 2.X'<br>Content-Length: 0'</p><div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br><br>-----Original Message-----<br>
From: <a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a><br>[mailto:<a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a>] On Behalf Of Andreas Granig<br>
Sent: 07 May 2012 08:46 PM<br>To: <a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a><br>Subject: Re: [Spce-user] autoban or fail2ban<br><br>Hi,<br><br>On 05/07/2012 08:35 PM, Jon Bonilla (Manwe) wrote:<br>
> The spce has SIP attack protection against DOS and DDOS attacks.<br>><br>> If you're talking about ssh or similar you should use iptables. Please<br>> check the security chapter of the handbook.<br><br>To make it clear, flood traffic above a certain threshold is blocked in<br>
user-space on the load-balancer. You can check the blocked ips with the<br>following command:<br><br>ngcp-sercmd lb htable.dump ipban<br><br>Every time an IP gets into this blacklist, a warning is logged in<br>kamailio-lb.log, using this kamailio config line:<br>
<br>xlog("L_WARN", "IP '$var(banip)' is blocked and banned - M=$rm R=$ru F=$fu<br>T=$tu IP=$pr:$si:$sp ID=$ci\n");<br><br>Sometimes it makes sense to block the traffic on kernel level already to<br>
keep the receive queue clean, so fail2ban could make sense here. See the<br>section "Fail2Ban" in<br><a href="http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack" target="_blank">http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack</a> (the rest is<br>
already implemented in the SPCE), just adapt the "failregex" to the log<br>message shown above.<br><br>Andreas</p></div></div><div><div><p class="MsoNormal">_______________________________________________<br>Spce-user mailing list<br>
<a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br><a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a></p></div></div></div><p class="MsoNormal">
<br><br clear="all"></p><div><p class="MsoNormal"> </p></div><p class="MsoNormal">-- <span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#500050;background:white"></span></p><div><p class="MsoNormal">
<span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#777777;background:white"> </span></p></div><div><p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#777777;background:white"> </span></p>
</div><p class="MsoNormal"> </p></div></div></body></html>