[Spce-user] Registration attack

Lorenzo Mangani lorenzo.mangani at gmail.com
Wed May 1 09:49:39 EDT 2013


Hi,

If you want to STOP the attack rathen than ban the IP, try sending back 200
OK to their registration requests, regardless of the password being
invalid. This should cause the scan to drop.
Alternatively, if this is a state-less SIPVicious (as usual) you can use
svcrash.py to crash it remotely (or use the integrated too in HOMER/ToolBox
to achieve the same)

Best of Luck,

Lorenzo Mangani

HOMER DEV TEAM
QXIP - Network Engineering



On Wed, May 1, 2013 at 3:43 PM, Kevin Masse <kmasse at questblue.com> wrote:

> Jeremie, use the IPTABLES drop rule.
>
> iptables -A INPUT -s IPADDRESS -j DROP
>
>
> Kevin
>
>
>
> -----Original Message-----
> From: spce-user-bounces at lists.sipwise.com
> [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Jeremie Chism
> Sent: Wednesday, May 01, 2013 9:41 AM
> To: spce-user at lists.sipwise.com
> Subject: [Spce-user] Registration attack
>
> We are receiving an attack of someone that is continuously trying to
> register to sipwise. There are so many attempts that the security ban
> tab is now returning an internal error. Is there a way to stop this or
> slow it down. I thought I remembered someone saying there was something
> that could be changed like returning a 200 ok on a ban. I am concerned
> about how this will impact sipwise since it is already showing signs of
> stress.
>
> Sent from my iPhone
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20130501/0930709a/attachment-0001.html>


More information about the Spce-user mailing list