Re: [asterisk-users] Detecting DoS attacks via SIP
Hi Mike, On 15-08-17 21:37, mdiehl wrote: Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [snip] I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. Any ideas? You can block sipvicious/friendly scanner in iptables with something like: -A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP You can also look at xtables with geoip to drop countries (per destination port) that should not connect to your Asterisk box. It's a big hammer but it works really well. Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. That's what the telco's/service providers do. HTH, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Detecting DoS attacks via SIP
Hi Mike In this case, if it’s coming from friendly scanner why not drop the packets at the firewall layer so that Asterisk never sees them? Mark > On 15 Aug 2017, at 20:37, mdiehlwrote: > > Hi all, > > Lately, I've seen an increase in the number of attacks against my system from > the so-called "Friendly Scanner." When one of these script kiddies targets > my server, all I see for symptoms is a few of my trunks become lagged due to > server load and a stream of messages on the console that resemble this: > > [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 > [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 > [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 > [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 > [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 > > > I have to turn on sip debugging to find out who's hitting me. However, I > can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want watch > for? I watch for PeerStatus, but since there's no actual peer in the attack, > I don't seem to get an event from AMI. > > Any ideas? > > Mike Diehl. > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Detecting DoS attacks via SIP
On Tue, Aug 15, 2017 at 2:37 PM, mdiehlwrote: > Hi all, > > Lately, I've seen an increase in the number of attacks against my system > from the so-called "Friendly Scanner." When one of these script kiddies > targets my server, all I see for symptoms is a few of my trunks become > lagged due to server load and a stream of messages on the console that > resemble this: > > [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 > [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 > [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 > [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 > [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 > > > I have to turn on sip debugging to find out who's hitting me. However, I > can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want > watch for? I watch for PeerStatus, but since there's no actual peer in the > attack, I don't seem to get an event from AMI. > > Any ideas? > There is an AMI security class that you can use to monitor the AMI security events. See manager.conf.sample Richard -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Detecting DoS attacks via SIP
Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. Any ideas? Mike Diehl. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] VoIP monitor and multiple RTP streams
Must be something in Asterisk. I have seen it in the past and was never able to figure it out. On Tue, Aug 15, 2017 at 4:18 AM, Marcelo Terreswrote: > Hello Dovid. > > I tried to figure it out, but to be honest I could not find a reason for > the change. > > The lines that I sent are the RTP streams detected by Wireshark. > > Regards, > > Marcelo H. Terres > IM: mhter...@jabber.mundoopensource.com.br > https://www.mundoopensource.com.br > https://twitter.com/mhterres > https://linkedin.com/in/marceloterres > > On 14 August 2017 at 17:52, Dovid Bender wrote: > >> Marcelo, >> >> You need to look at the box changing the SSRC and figure out why it's >> changing it. Where are you seeing the multiple rows in MySQL or wireshark? >> >> >> On Mon, Aug 14, 2017 at 11:24 AM, Marcelo Terres >> wrote: >> >>> Hello. >>> >>> Is someone here using VoIPmonitor? >>> >>> I am using just the sniffer and I found some pcap files that >>> contain some odd streams. >>> >>> For example, I have a file with 3 streams, but the weird stuff is that 2 >>> streams are the same (e.g., have the same source address and port and same >>> destination address and port). >>> >>> Example: >>> >>> "Source Address","Source Port","Destination Address","Destination >>> Port","SSRC","Payload","Packets","Lost","Max Delta (ms)","Max >>> Jitter","Mean Jitter","Status" >>> "6X.XXX.XXX.XXX",34170,"1XX.XXX.XXX.XXX",10602,277011456,"g7 >>> 11A",7289,0,21.3036449,21.265543809819981,0.07328694 >>> 5955809715,"" >>> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,2020146713,"g >>> 711A",2099,0,36.2968661,2.9025967411766738,0.9787739 >>> 3850963945,"" >>> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,325951803,"g7 >>> 11A",4949,0,41.8790815,4.5846492231155924,1.0537488536922062,"" >>> >>> The only thing that I could notice is that the first packet that had the >>> new SSRC (325951803) has the marker bit on, but I could not find a reason >>> for the SSRC change. >>> >>> Any ideas of what could be causing that? >>> >>> Thanks. >>> >>> Regards, >>> >>> Marcelo H. Terres >>> IM: mhter...@jabber.mundoopensource.com.br >>> https://www.mundoopensource.com.br >>> https://twitter.com/mhterres >>> https://linkedin.com/in/marceloterres >>> >>> -- >>> _ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> Check out the new Asterisk community forum at: >>> https://community.asterisk.org/ >>> >>> New to Asterisk? Start here: >>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>>http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >>http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] VoIP monitor and multiple RTP streams
Hello Dovid. I tried to figure it out, but to be honest I could not find a reason for the change. The lines that I sent are the RTP streams detected by Wireshark. Regards, Marcelo H. TerresIM: mhter...@jabber.mundoopensource.com.br https://www.mundoopensource.com.br https://twitter.com/mhterres https://linkedin.com/in/marceloterres On 14 August 2017 at 17:52, Dovid Bender wrote: > Marcelo, > > You need to look at the box changing the SSRC and figure out why it's > changing it. Where are you seeing the multiple rows in MySQL or wireshark? > > > On Mon, Aug 14, 2017 at 11:24 AM, Marcelo Terres > wrote: > >> Hello. >> >> Is someone here using VoIPmonitor? >> >> I am using just the sniffer and I found some pcap files that contain some >> odd streams. >> >> For example, I have a file with 3 streams, but the weird stuff is that 2 >> streams are the same (e.g., have the same source address and port and same >> destination address and port). >> >> Example: >> >> "Source Address","Source Port","Destination Address","Destination >> Port","SSRC","Payload","Packets","Lost","Max Delta (ms)","Max >> Jitter","Mean Jitter","Status" >> "6X.XXX.XXX.XXX",34170,"1XX.XXX.XXX.XXX",10602,277011456,"g7 >> 11A",7289,0,21.3036449,21.265543809819981,0.073286945955809715,"" >> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,2020146713,"g >> 711A",2099,0,36.2968661,2.9025967411766738,0.97877393850963945,"" >> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,325951803,"g7 >> 11A",4949,0,41.8790815,4.5846492231155924,1.0537488536922062,"" >> >> The only thing that I could notice is that the first packet that had the >> new SSRC (325951803) has the marker bit on, but I could not find a reason >> for the SSRC change. >> >> Any ideas of what could be causing that? >> >> Thanks. >> >> Regards, >> >> Marcelo H. Terres >> IM: mhter...@jabber.mundoopensource.com.br >> https://www.mundoopensource.com.br >> https://twitter.com/mhterres >> https://linkedin.com/in/marceloterres >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >>http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users