[Spce-user] Under what scenario could sipwise silently drop an invite?

Abel Alejandro aalejandro at alliedtechnologygrouppr.com
Sat May 28 17:53:46 EDT 2016 

Matthew,

You hit right in the nail, I was grepping always for the destination and
and/or for the ip on the exact time, since it has so much traffic it was
difficult to see it was banned a few minutes earlier.

May 27 13:38:21 sip lb[4430]: WARNING: <script>: IP '172.31.3.245' is
blocked and banned - R=<null> ID=1DA8C28A-154D11E6-A138E6D2-8EBB5E3A
UA='<null>'

Mystery solved, thank you all guys.



On Sat, May 28, 2016 at 4:07 PM, Matthew Ogden <matthew at gapp.tenacit.net>
wrote:

> Hi Abel
>
> And ngrep-sip is also seeing this?
>
> What does the kamailio-lb log have in it for this call id? (If anything)
>
> If I recall correctly there are two protections one against dos from
> single source ip. And another a against the username (distributed brute
> force)
>
> Check
> https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/
> for the current release into
>
> Then check your log.
> On 28 May 2016 18:24, "Abel Alejandro" <
> aalejandro at alliedtechnologygrouppr.com> wrote:
>
>> Actually this is my fault since I didn't explain properly, sorry for that
>> guys.
>>
>> The voipmonitor detected 11 calls from this endpoint like this, however
>> this very same endpoint made and received hundreds of calls yesterday alone
>> successfully, this is a Cisco UC PBX.
>>
>> This is what the INVITE looks like with a couple details anomized. I do
>> think everything looks good on this INVITE, port is okay and the domain is
>> okay.
>>
>> INVITE sip:19727612465 at sip.fusetelecom.com:5060 SIP/2.0
>> Via: SIP/2.0/UDP 10.30.28.1:5060;branch=z9hG4bKE5DB37D
>> From: "XXXX" <sip:787200xxxx at sip.fusetelecom.com>;tag=DB6B8ADC-17FC
>> To: <sip:1972761xxxx at sip.fusetelecom.com>
>> Date: Fri, 27 May 2016 14:10:16 GMT
>> Call-ID: 924D11CC-234B11E6-BB27E6D2-8EBB5E3A at sip.fusetelecom.com
>> Supported: 100rel,timer,resource-priority,replaces,sdp-anat
>> Min-SE:  600
>> Cisco-Guid: 2376044366-0592122342-3139626706-2394644026
>> User-Agent: Cisco-SIPGateway/IOS-12.x
>> Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER,
>> SUBSCRIBE, NOTIFY, INFO, REGISTER
>> CSeq: 101 INVITE
>> Max-Forwards: 70
>> Timestamp: 1464358216
>> Contact: <sip:787200xxxx at 10.30.28.1:5060>
>> Call-Info: <sip:10.30.28.1:5060
>> >;method="NOTIFY;Event=telephone-event;Duration=2000"
>> Expires: 300
>> Allow-Events: telephone-event
>> Content-Type: application/sdp
>> Content-Disposition: session;handling=required
>> Content-Length: 324
>>
>> v=0
>> o=CiscoSystemsSIP-GW-UserAgent 6165 9658 IN IP4 10.30.28.1
>> s=SIP Call
>> c=IN IP4 10.30.28.1
>> t=0 0
>> m=audio 17106 RTP/AVP 18 0 8 101 19
>> c=IN IP4 10.30.28.1
>> a=rtpmap:18 G729/8000
>> a=fmtp:18 annexb=no
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-16
>> a=rtpmap:19 CN/8000
>>
>>
>> On Sat, May 28, 2016 at 12:05 PM, Marco Teixeira <admin at marcoteixeira.com
>> > wrote:
>>
>>> It was an example.
>>> What i meant was that, usually, sniffers set the NIC to promiscuous,
>>> meaning that they will catch whatever garbage arrives at the IP stack. The
>>> iptables was an example. Others have pointed before, maybe your config is
>>> not binding to the correct port ? maybe you don't have the correct domain
>>> configured in sipwise ?
>>>
>>>
>>> ---
>>> Best regards
>>> Marco
>>> ---
>>>
>>>
>>> On Sat, May 28, 2016 at 1:18 PM, Abel Alejandro <
>>> aalejandro at alliedtechnologygrouppr.com> wrote:
>>>
>>>> Hey Marco,
>>>>
>>>> I do not mean the server iptables, I do not run anything other than
>>>> sipwise + sniffer, I mean the anti DDoS of the sipwise itself.
>>>>
>>>>
>>>>
>>>> On Sat, May 28, 2016 at 8:04 AM, Marco Teixeira <
>>>> admin at marcoteixeira.com> wrote:
>>>>
>>>>> Hi Abel,
>>>>> Carefull with your assumptions. As an example, if i run sip-ngrep on
>>>>> the server, it will see all the traffic even before iptables drops it...
>>>>> Em 27/05/2016 20:12, "Abel Alejandro" <
>>>>> aalejandro at alliedtechnologygrouppr.com> escreveu:
>>>>>
>>>>>> Well, the network capture is a network application that runs on the
>>>>>> same sipwise server, its from the voipmonitor.org guys, I dont see
>>>>>> how the network sniffer could capture the data and at the same time the
>>>>>> server not deliver it to the kamalio process.
>>>>>>
>>>>>> I sent you the pcap capture privately, but yes the domain looks
>>>>>> correct. Is there no chance the endpoint was banned during this time? Would
>>>>>> that skip the logs?
>>>>>>
>>>>>>
>>>>>> On Fri, May 27, 2016 at 2:59 PM, Daniel Grotti <dgrotti at sipwise.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>> Well if no request are on Kamailio-lb, then invites never reached
>>>>>>> the server.
>>>>>>> Are you sure the invite was heading to the right sip domain?
>>>>>>>
>>>>>>> Daniel
>>>>>>> On May 27, 2016 8:51 PM, Abel Alejandro <
>>>>>>> aalejandro at alliedtechnologygrouppr.com> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I am testing a voipmonitor and just saw an interesting call where an
>>>>>>> endpoint sent to sipwise 3 invites and it never got answered. Mind you I am
>>>>>>> doing the voipmonitor capture at the sipwise server itself so there is no
>>>>>>> chance of network packet loss here.
>>>>>>>
>>>>>>> When I take a look at the logs I dont even see the request
>>>>>>> in kamailio-lb.log or kamailio-proxy.log , is there any other place I could
>>>>>>> check?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Abel Alejandro*
>>>>>>>
>>>>>>> 787 586 8313 | 787 705 0555
>>>>>>> <joquendo at alliedtechnologygrouppr.com>
>>>>>>>
>>>>>>> 400 Calle Calaf 477
>>>>>>> San Juan, PR 00918
>>>>>>> aalejandro at alliedtechnologygrouppr.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> *Abel Alejandro*
>>>>>>
>>>>>> 787 586 8313 | 787 705 0555
>>>>>> <joquendo at alliedtechnologygrouppr.com>
>>>>>>
>>>>>> 400 Calle Calaf 477
>>>>>> San Juan, PR 00918
>>>>>> aalejandro at alliedtechnologygrouppr.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spce-user mailing list
>>>>>> Spce-user at lists.sipwise.com
>>>>>> https://lists.sipwise.com/listinfo/spce-user
>>>>>>
>>>>>>
>>>>
>>>>
>>>> --
>>>> *Abel Alejandro*
>>>>
>>>> 787 586 8313 | 787 705 0555
>>>> <joquendo at alliedtechnologygrouppr.com>
>>>>
>>>> 400 Calle Calaf 477
>>>> San Juan, PR 00918
>>>> aalejandro at alliedtechnologygrouppr.com
>>>>
>>>
>>>
>>
>>
>> --
>> *Abel Alejandro*
>>
>> 787 586 8313 | 787 705 0555
>> <joquendo at alliedtechnologygrouppr.com>
>>
>> 400 Calle Calaf 477
>> San Juan, PR 00918
>> aalejandro at alliedtechnologygrouppr.com
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user
>>
>>


-- 
*Abel Alejandro*

787 586 8313 | 787 705 0555
<joquendo at alliedtechnologygrouppr.com>

400 Calle Calaf 477
San Juan, PR 00918
aalejandro at alliedtechnologygrouppr.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160528/048e3ded/attachment-0001.html>

More information about the Spce-user mailing list