[Spce-user] Under attack :-(

Aníbal Cañada anibal at hercom.es
Fri Feb 15 03:57:25 EST 2013 

There is a dirty hack.in kamailio.cfg in the lb ,changue the response from 403 "banned and reported" by 200 OK
This will stop the attack.

Anibal cañada


El 15/02/2013, a las 09:52, Daniel Grotti <dgrotti at sipwise.com> escribió:

> Hi Theo,
> Malicious attack are banned by the proxy and you can see the IP address/Users ban under the "Security Ban" section.
> What you could do is change the value defining how many seconds the system keep the IP/Users banned.
> You can find all the variables in /etc/ngcp-config/config.yml under "kamailio -> lb -> security".
> 
> security:
>       dos_ban_enable: 'yes'
>       dos_ban_time: 300
>       dos_reqs_density_per_unit: 50
>       dos_sampling_time_unit: 5
>       dos_whitelisted_ips: ~
>       failed_auth_attempts: 3
>       failed_auth_ban_enable: 'yes'
>       failed_auth_ban_time: 3600
> 
> 
> So, by default the IP will keep banned for 300sec.
> 
> Daniel
> 
> 
> 
> 
> On 02/15/2013 09:45 AM, Theo wrote:
>> Hi
>> 
>> ngrep-sip gives me:
>> 
>> #
>> U 2013/02/15 10:39:23.432811 173.242.123.148:5266 -> 196.41.123.113:5060
>> REGISTER sip:196.41.123.113 SIP/2.0'
>> Via: SIP/2.0/UDP 173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'
>> Content-Length: 0'
>> From: "12unknown" <sip:12unknown at 196.41.123.113>'
>> Accept: application/sdp'
>> User-Agent: friendly-scanner'
>> To: "12unknown" <sip:12unknown at 196.41.123.113>'
>> Contact: sip:123 at 1.1.1.1'
>> CSeq: 1 REGISTER'
>> Call-ID: 4123206054'
>> Max-Forwards: 70'
>> '
>> with a script changing the Call-ID a a massive rate. So someone is trying to register or doing something sinister. This box is not behind a firewall at this point, just a test box. the IP you see there 173.242.123.148 has indeed been added to the banned IPs which I guess means nothing is actually reaching the proxy? Do we just leave it like this until they give up or is there some other action I should take?
>> 
>> There is no monetary risk at this point for us - this is really just for testing and all details such as IPs are going to change if and when we would start using it.
>> 
>> 
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> http://lists.sipwise.com/listinfo/spce-user
> 
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130215/a0386cfe/attachment-0001.html>

More information about the Spce-user mailing list