[Spce-user] Under attack :-(

Skyler skchopperguy at gmail.com
Wed Feb 20 16:50:05 EST 2013


Awesome. Very nice. Tested, confirmed and implemented. Thank you ;)

S.

On Fri, Feb 15, 2013 at 12:57 AM, Aníbal Cañada <anibal at hercom.es> wrote:

> There is a dirty hack.in kamailio.cfg in the lb ,changue the response
> from 403 "banned and reported" by 200 OK
> This will stop the attack.
>
> Anibal cañada
>
>
> El 15/02/2013, a las 09:52, Daniel Grotti <dgrotti at sipwise.com> escribió:
>
> Hi Theo,
> Malicious attack are banned by the proxy and you can see the IP
> address/Users ban under the "Security Ban" section.
> What you could do is change the value defining how many seconds the system
> keep the IP/Users banned.
> You can find all the variables in /etc/ngcp-config/config.yml under
> "kamailio -> lb -> security".
>
> security:
>       dos_ban_enable: 'yes'
>       dos_ban_time: 300
>       dos_reqs_density_per_unit: 50
>       dos_sampling_time_unit: 5
>       dos_whitelisted_ips: ~
>       failed_auth_attempts: 3
>       failed_auth_ban_enable: 'yes'
>       failed_auth_ban_time: 3600
>
>
> So, by default the IP will keep banned for 300sec.
>
> Daniel
>
>
>
>
> On 02/15/2013 09:45 AM, Theo wrote:
>
> Hi
>
>  ngrep-sip gives me:
>
>  #
> U 2013/02/15 10:39:23.432811 173.242.123.148:5266 -> 196.41.123.113:5060
> REGISTER sip:196.41.123.113 SIP/2.0'
> Via: SIP/2.0/UDP 173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'
> Content-Length: 0'
> From: "12unknown" <sip:12unknown at 196.41.123.113>'
> Accept: application/sdp'
> User-Agent: friendly-scanner'
> To: "12unknown" <sip:12unknown at 196.41.123.113>'
> Contact: sip:123 at 1.1.1.1'
> CSeq: 1 REGISTER'
> Call-ID: 4123206054'
> Max-Forwards: 70'
> '
>  with a script changing the Call-ID a a massive rate. So someone is
> trying to register or doing something sinister. This box is not behind a
> firewall at this point, just a test box. the IP you see
> there 173.242.123.148 has indeed been added to the banned IPs which I guess
> means nothing is actually reaching the proxy? Do we just leave it like this
> until they give up or is there some other action I should take?
>
>  There is no monetary risk at this point for us - this is really just for
> testing and all details such as IPs are going to change if and when we
> would start using it.
>
>
> _______________________________________________
> Spce-user mailing listSpce-user at lists.sipwise.comhttp://lists.sipwise.com/listinfo/spce-user
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130220/08cca7af/attachment-0001.html>


More information about the Spce-user mailing list