Re: [asterisk-users] Detecting DoS attacks via SIP

[Patrick Laimbock]

Hi Mike,

On 15-08-17 21:37, mdiehl wrote:

Hi all,

Lately, I've seen an increase in the number of attacks against my system from the 
so-called "Friendly Scanner."  When one of these script kiddies targets my 
server, all I see for symptoms is a few of my trunks become lagged due to server load and 
a stream of messages on the console that resemble this:

[snip]

I have to turn on sip debugging to find out who's hitting me.  However, I can't 
just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch 
for?  I watch for PeerStatus, but since there's no actual peer in the attack, I 
don't seem to get an event from AMI.

Any ideas?


You can block sipvicious/friendly scanner in iptables with something like:

-A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" 
--algo bm -j DROP


You can also look at xtables with geoip to drop countries (per 
destination port) that should not connect to your Asterisk box. It's a 
big hammer but it works really well.


Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. 
That's what the telco's/service providers do.


HTH,
Patrick

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

[Mark Boyce]

Hi Mike

In this case, if it’s coming from friendly scanner why not drop the packets at 
the firewall layer so that Asterisk never sees them?

Mark

> On 15 Aug 2017, at 20:37, mdiehl  wrote:
> 
> Hi all,
> 
> Lately, I've seen an increase in the number of attacks against my system from 
> the so-called "Friendly Scanner."  When one of these script kiddies targets 
> my server, all I see for symptoms is a few of my trunks become lagged due to 
> server load and a stream of messages on the console that resemble this:
> 
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
> 
> 
> I have to turn on sip debugging to find out who's hitting me.  However, I 
> can't just leave it on because it would kill my logging system.
> 
> So, how are other people handling this?  Is there an AMI event I want watch 
> for?  I watch for PeerStatus, but since there's no actual peer in the attack, 
> I don't seem to get an event from AMI.
> 
> Any ideas?
> 
> Mike Diehl.
> 
> -- 
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>  https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

[Richard Mudgett]

On Tue, Aug 15, 2017 at 2:37 PM, mdiehl  wrote:

> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However, I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want
> watch for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>

There is an AMI security class that you can use to monitor the AMI security
events.
See manager.conf.sample

Richard
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Detecting DoS attacks via SIP

[mdiehl]

Hi all,

Lately, I've seen an increase in the number of attacks against my system from 
the so-called "Friendly Scanner."  When one of these script kiddies targets my 
server, all I see for symptoms is a few of my trunks become lagged due to 
server load and a stream of messages on the console that resemble this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I can't 
just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch 
for?  I watch for PeerStatus, but since there's no actual peer in the attack, I 
don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] VoIP monitor and multiple RTP streams

[Dovid Bender]

Must be something in Asterisk. I have seen it in the past and was never
able to figure it out.

On Tue, Aug 15, 2017 at 4:18 AM, Marcelo Terres  wrote:

> Hello Dovid.
>
> I tried to figure it out, but to be honest I could not find a reason for
> the change.
>
> The lines that I sent are the RTP streams detected by Wireshark.
>
> Regards,
>
> Marcelo H. Terres 
> IM: mhter...@jabber.mundoopensource.com.br
> https://www.mundoopensource.com.br
> https://twitter.com/mhterres
> https://linkedin.com/in/marceloterres
>
> On 14 August 2017 at 17:52, Dovid Bender  wrote:
>
>> Marcelo,
>>
>> You need to look at the box changing the SSRC and figure out why it's
>> changing it. Where are you seeing the multiple rows in MySQL or wireshark?
>>
>>
>> On Mon, Aug 14, 2017 at 11:24 AM, Marcelo Terres 
>> wrote:
>>
>>> Hello.
>>>
>>> Is someone here using VoIPmonitor?
>>>
>>> I am using just the sniffer and I found some pcap files that
>>> contain some odd streams.
>>>
>>> For example, I have a file with 3 streams, but the weird stuff is that 2
>>> streams are the same (e.g., have the same source address and port and same
>>> destination address and port).
>>>
>>> Example:
>>>
>>> "Source Address","Source Port","Destination Address","Destination
>>> Port","SSRC","Payload","Packets","Lost","Max Delta (ms)","Max
>>> Jitter","Mean Jitter","Status"
>>> "6X.XXX.XXX.XXX",34170,"1XX.XXX.XXX.XXX",10602,277011456,"g7
>>> 11A",7289,0,21.3036449,21.265543809819981,0.07328694
>>> 5955809715,""
>>> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,2020146713,"g
>>> 711A",2099,0,36.2968661,2.9025967411766738,0.9787739
>>> 3850963945,""
>>> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,325951803,"g7
>>> 11A",4949,0,41.8790815,4.5846492231155924,1.0537488536922062,""
>>>
>>> The only thing that I could notice is that the first packet that had the
>>> new SSRC (325951803) has the marker bit on, but I could not find a reason
>>> for the SSRC change.
>>>
>>> Any ideas of what could be causing that?
>>>
>>> Thanks.
>>>
>>> Regards,
>>>
>>> Marcelo H. Terres 
>>> IM: mhter...@jabber.mundoopensource.com.br
>>> https://www.mundoopensource.com.br
>>> https://twitter.com/mhterres
>>> https://linkedin.com/in/marceloterres
>>>
>>> --
>>> _
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] VoIP monitor and multiple RTP streams

[Marcelo Terres]

Hello Dovid.

I tried to figure it out, but to be honest I could not find a reason for
the change.

The lines that I sent are the RTP streams detected by Wireshark.

Regards,

Marcelo H. Terres 
IM: mhter...@jabber.mundoopensource.com.br
https://www.mundoopensource.com.br
https://twitter.com/mhterres
https://linkedin.com/in/marceloterres

On 14 August 2017 at 17:52, Dovid Bender  wrote:

> Marcelo,
>
> You need to look at the box changing the SSRC and figure out why it's
> changing it. Where are you seeing the multiple rows in MySQL or wireshark?
>
>
> On Mon, Aug 14, 2017 at 11:24 AM, Marcelo Terres 
> wrote:
>
>> Hello.
>>
>> Is someone here using VoIPmonitor?
>>
>> I am using just the sniffer and I found some pcap files that contain some
>> odd streams.
>>
>> For example, I have a file with 3 streams, but the weird stuff is that 2
>> streams are the same (e.g., have the same source address and port and same
>> destination address and port).
>>
>> Example:
>>
>> "Source Address","Source Port","Destination Address","Destination
>> Port","SSRC","Payload","Packets","Lost","Max Delta (ms)","Max
>> Jitter","Mean Jitter","Status"
>> "6X.XXX.XXX.XXX",34170,"1XX.XXX.XXX.XXX",10602,277011456,"g7
>> 11A",7289,0,21.3036449,21.265543809819981,0.073286945955809715,""
>> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,2020146713,"g
>> 711A",2099,0,36.2968661,2.9025967411766738,0.97877393850963945,""
>> "1XX.XXX.XXX.XXX",10602,"6X.XXX.XXX.XXX",34170,325951803,"g7
>> 11A",4949,0,41.8790815,4.5846492231155924,1.0537488536922062,""
>>
>> The only thing that I could notice is that the first packet that had the
>> new SSRC (325951803) has the marker bit on, but I could not find a reason
>> for the SSRC change.
>>
>> Any ideas of what could be causing that?
>>
>> Thanks.
>>
>> Regards,
>>
>> Marcelo H. Terres 
>> IM: mhter...@jabber.mundoopensource.com.br
>> https://www.mundoopensource.com.br
>> https://twitter.com/mhterres
>> https://linkedin.com/in/marceloterres
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users