[Spce-user] bruteforcing sip credentials attack

Jose E. Vargas B. j_e_vargas at live.com
Fri Feb 5 03:21:08 EST 2016


Thanks for your help Daniel, Alexis and George. Problem is solved now!
Jose

> On Feb 4, 2016, at 11:03 AM, Daniel Grotti <dgrotti at sipwise.com> wrote:
> 
> Hi,
> Hope it will help and maybe give you some hints:
> 
> https://www.linkedin.com/pulse/securing-your-ngcp-against-sip-attacks-daniel-grotti?forceNoSplash=true
> 
> 
> Daniel
> 
> 
> On Feb 4, 2016 7:38 PM, "Jose E. Vargas B." <j_e_vargas at live.com> wrote:
>> 
>> Hello,
>> 
>> Just have a quick and probably easy question for the SP community. I am experimenting with the server and keep getting the entire day the following attack:
>> 
>> 016/02/04 19:20:16.673827 188.138.33.14:5071 -> yy.yy.yy.yy:5060
>> INVITE sip:901141445209482 at xx.xx.xx.xx SIP/2.0
>> To: 901141445209482<sip:901141445209482 at xx.xx.xx.xx>
>> From: 0550<sip:0550 at xx.xx.xx.xx>;tag=67a87716
>> Via: SIP/2.0/UDP 188.138.33.14:5071;branch=z9hG4bK-6f67d7e24b4ac8a25f3d76106be4cb74;rport
>> Call-ID: 6f67d7e24b4ac8a25f3d76106be4cb74
>> CSeq: 1 INVITE
>> Contact: <sip:0550 at 188.138.33.14:5071>
>> Max-Forwards: 70
>> Allow: INVITE, ACK, CANCEL, BYE
>> User-Agent: sipcli/v1.8
>> Content-Type: application/sdp
>> Content-Length: 281
>> 
>> v=0
>> o=sipcli-Session 691746334 738426574 IN IP4 188.138.33.14
>> s=sipcli
>> c=IN IP4 188.138.33.14
>> t=0 0
>> m=audio 5073 RTP/AVP 18 0 8 101
>> a=fmtp:101 0-15
>> a=rtpmap:18 G729/8000
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=ptime:20
>> a=sendrecv
>> 
>> 
>> I guess it is a funny group/folk trying to get unauthorized access to the server by sending multiple SIP invites with different accounts and possible free phone calls ;)  The problem is that SPCE won’t detect it as his attempts are spared in time.  Would like to get your guidance about blocking the entire IP or domain to SCPCE server. Could you please comment on how you deal with this type of attack?
>> 
>> Jose 
>> 
>> PS: 
>>     BTW - making changes to config.yml (failed _auth)…) didn’t help  
>>     Offending IP:  188.138.33.14
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1776 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160205/1b48eec3/attachment-0001.p7s>


More information about the Spce-user mailing list