[Spce-user] bruteforcing sip credentials attack

Raúl Alexis Betancor Santana rabs at dimension-virtual.com
Thu Feb 4 13:52:20 EST 2016 

Easy ... 

291a292,298 
> ## filtering by UA : blacklist 
> if(is_method("REGISTER|INVITE|OPTIONS") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+")) 
> { 
> xlog("L_WARN", "Request rejected, malicious UA='$ua' from IP=$si - [% logreq_init -%]\n"); 
> exit; 
> } 
> 

Patch applied over the lb/kamailio.cfg.tt2 ... so create a .cusomtt.tt2 

> De: "Jose E. Vargas B." <j_e_vargas at live.com>
> Para: spce-user at lists.sipwise.com
> Enviados: Jueves, 4 de Febrero 2016 18:38:25
> Asunto: [Spce-user] bruteforcing sip credentials attack

> Hello,

> Just have a quick and probably easy question for the SP community. I am
> experimenting with the server and keep getting the entire day the following
> attack:

> 016/02/04 19:20:16.673827 188.138.33.14:5071 -> yy.yy.yy.yy:5060
> INVITE sip:901141445209482 at xx.xx.xx.xx SIP/2.0
> To: 901141445209482< sip:901141445209482 at xx.xx.xx.xx >
> From: 0550< sip:0550 at xx.xx.xx.xx >;tag=67a87716
> Via: SIP/2.0/UDP
> 188.138.33.14:5071;branch=z9hG4bK-6f67d7e24b4ac8a25f3d76106be4cb74;rport
> Call-ID: 6f67d7e24b4ac8a25f3d76106be4cb74
> CSeq: 1 INVITE
> Contact: < sip:0550 at 188.138.33.14:5071 >
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Content-Length: 281

> v=0
> o=sipcli-Session 691746334 738426574 IN IP4 188.138.33.14
> s=sipcli
> c=IN IP4 188.138.33.14
> t=0 0
> m=audio 5073 RTP/AVP 18 0 8 101
> a=fmtp:101 0-15
> a=rtpmap:18 G729/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=ptime:20
> a=sendrecv

> I guess it is a funny group/folk trying to get unauthorized access to the server
> by sending multiple SIP invites with different accounts and possible free phone
> calls ;) The problem is that SPCE won’t detect it as his attempts are spared in
> time. Would like to get your guidance about blocking the entire IP or domain to
> SCPCE server. Could you please comment on how you deal with this type of
> attack?

> Jose

> PS:
> BTW - making changes to config.yml (failed _auth)…) didn’t help
> Offending IP: 188.138.33.14

> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160204/cdb504d7/attachment-0001.html>

More information about the Spce-user mailing list