<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>There is a dirty hack.in kamailio.cfg in the lb ,changue the response from 403 "banned and reported" by 200 OK</div><div>This will stop the attack.<br><br>Anibal caƱada<div><br></div></div><div><br>El 15/02/2013, a las 09:52, Daniel Grotti <<a href="mailto:dgrotti@sipwise.com">dgrotti@sipwise.com</a>> escribiĆ³:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Theo,<br>
Malicious attack are banned by the proxy and you can see the IP
address/Users ban under the "Security Ban" section.<br>
What you could do is change the value defining how many seconds
the system keep the IP/Users banned.<br>
You can find all the variables in /etc/ngcp-config/config.yml
under "kamailio -> lb -> security".<br>
<br>
security:<br>
dos_ban_enable: 'yes'<br>
dos_ban_time: 300<br>
dos_reqs_density_per_unit: 50<br>
dos_sampling_time_unit: 5<br>
dos_whitelisted_ips: ~<br>
failed_auth_attempts: 3<br>
failed_auth_ban_enable: 'yes'<br>
failed_auth_ban_time: 3600<br>
<br>
<br>
So, by default the IP will keep banned for 300sec.<br>
<br>
Daniel<br>
<br>
<br>
<br>
<br>
On 02/15/2013 09:45 AM, Theo wrote:<br>
</div>
<blockquote cite="mid:CA+9+E=VUd6=8JVjzoYGPNqw2uDts2THmJT3BzKByK=o-Ns1-ZQ@mail.gmail.com" type="cite">Hi
<div><br>
</div>
<div>ngrep-sip gives me:</div>
<div><br>
</div>
<div>
<div>#</div>
<div>U 2013/02/15 10:39:23.432811 <a moz-do-not-send="true" href="http://173.242.123.148:5266">173.242.123.148:5266</a>
-> <a moz-do-not-send="true" href="http://196.41.123.113:5060">196.41.123.113:5060</a></div>
<div>REGISTER sip:196.41.123.113 SIP/2.0'</div>
<div>Via: SIP/2.0/UDP
173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'</div>
<div>Content-Length: 0'</div>
<div>From: "12unknown" <<a moz-do-not-send="true" href="mailto:sip%3A12unknown@196.41.123.113">sip:12unknown@196.41.123.113</a>>'</div>
<div>Accept: application/sdp'</div>
<div>User-Agent: friendly-scanner'</div>
<div>To: "12unknown" <<a moz-do-not-send="true" href="mailto:sip%3A12unknown@196.41.123.113">sip:12unknown@196.41.123.113</a>>'</div>
<div>Contact: <a moz-do-not-send="true" href="mailto:sip%3A123@1.1.1.1">sip:123@1.1.1.1</a>'</div>
<div>CSeq: 1 REGISTER'</div>
<div>Call-ID: 4123206054'</div>
<div>Max-Forwards: 70'</div>
<div>'</div>
</div>
<div>with a script changing the Call-ID a a massive rate. So
someone is trying to register or doing something sinister. This
box is not behind a firewall at this point, just a test box. the
IP you see there 173.242.123.148 has indeed been added to the
banned IPs which I guess means nothing is actually reaching the
proxy? Do we just leave it like this until they give up or is
there some other action I should take?</div>
<div><br>
</div>
<div>There is no monetary risk at this point for us - this is
really just for testing and all details such as IPs are going to
change if and when we would start using it.</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="http://lists.sipwise.com/listinfo/spce-user">http://lists.sipwise.com/listinfo/spce-user</a>
</pre>
</blockquote>
<br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Spce-user mailing list</span><br><span><a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a></span><br><span><a href="http://lists.sipwise.com/listinfo/spce-user">http://lists.sipwise.com/listinfo/spce-user</a></span><br></div></blockquote></body></html>