[Spce-user] bruteforcing sip credentials attack
Daniel Grotti
dgrotti at sipwise.com
Thu Feb 4 14:03:52 EST 2016
Hi,
Hope it will help and maybe give you some hints:
https://www.linkedin.com/pulse/securing-your-ngcp-against-sip-attacks-daniel-grotti?forceNoSplash=true
Daniel
On Feb 4, 2016 7:38 PM, "Jose E. Vargas B." <j_e_vargas at live.com> wrote:
>
> Hello,
>
> Just have a quick and probably easy question for the SP community. I am experimenting with the server and keep getting the entire day the following attack:
>
> 016/02/04 19:20:16.673827 188.138.33.14:5071 -> yy.yy.yy.yy:5060
> INVITE sip:901141445209482 at xx.xx.xx.xx SIP/2.0
> To: 901141445209482<sip:901141445209482 at xx.xx.xx.xx>
> From: 0550<sip:0550 at xx.xx.xx.xx>;tag=67a87716
> Via: SIP/2.0/UDP 188.138.33.14:5071;branch=z9hG4bK-6f67d7e24b4ac8a25f3d76106be4cb74;rport
> Call-ID: 6f67d7e24b4ac8a25f3d76106be4cb74
> CSeq: 1 INVITE
> Contact: <sip:0550 at 188.138.33.14:5071>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Content-Length: 281
>
> v=0
> o=sipcli-Session 691746334 738426574 IN IP4 188.138.33.14
> s=sipcli
> c=IN IP4 188.138.33.14
> t=0 0
> m=audio 5073 RTP/AVP 18 0 8 101
> a=fmtp:101 0-15
> a=rtpmap:18 G729/8000
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=ptime:20
> a=sendrecv
>
>
> I guess it is a funny group/folk trying to get unauthorized access to the server by sending multiple SIP invites with different accounts and possible free phone calls ;) The problem is that SPCE won’t detect it as his attempts are spared in time. Would like to get your guidance about blocking the entire IP or domain to SCPCE server. Could you please comment on how you deal with this type of attack?
>
> Jose
>
> PS:
> BTW - making changes to config.yml (failed _auth)…) didn’t help
> Offending IP: 188.138.33.14
>
>
More information about the Spce-user
mailing list