Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-21 Thread Telium Technical Support 
If this is a home system, try the free edition of SecAst (www.telium.ca/?secast 
<http://www.telium.ca/?secast> ).  It uses the AMI for detecting simple failed 
events , but can do more than fail2ban.  More importantly it can block at the 
network edge by talking to you firewall (don’t let the script kiddies onto you 
LAN).

 

If decide to try geofencing using just IP rules than you will really slow your 
system (as the number of rules and exceptions is massive in order to be 
useful).  There are some open source IP to location services (SaaS) which are 
free if it’s not for commercial use.

 

-Raj-

 

All opinions expressed on the boards/chat groups are my own.  As an employee of 
Telium my views may appear seriously biased – but I hope there’s some helpful 
info in there for you :)

 

From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Mike Diehl
Sent: Saturday, August 19, 2017 11:54 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion 
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] Detecting DoS attacks via SIP

 

I appreciate the discussion on the question I asked.

I currently listen for failed registration attempts via AMI and automatically 
block the offending IP address at the firewall.  I was hoping to find another 
AMI event that would be the magic bullet I need, but it doesn't sound like 
that's going to happen.

I understand that fail2ban is probably not what I want and probably wouldn't 
detect the attacks I'm seeing.

It turns out that not all of the attacks are from the "friendly scanner," but 
enough of them are that it's a good start.

So, I really like the idea of the IP geo location firewall rules coupled with 
the "friendly scanner" filter, as provided by a few of you guys.  It was 
mentioned that this is a broad hammer, but I'm kinda looking for a broad 
hammer! ;^)

Looks like I need to do some research, but I think I have what I need.

Thanks again,

Mike Diehl.

 

On Sat, Aug 19, 2017 at 4:36 PM, Telium Technical Support <supp...@telium.ca 
<mailto:supp...@telium.ca> > wrote:

I think you missed the point of the Digium post.  Fail2ban can ONLY ban IP’s if 
Asterisk records a failure to register.  Asterisk does not detect malformed SIP 
packets, buffer overflow attacks, suspicious dialing patterns, connection 
attempts outside geofenced areas, use of stolen credentials (rapid  ramp of 
calls using one set of credentials), etc.

 

Asterisk only gives you a rudimentary “failed” message for a failure to 
register / wrong credentials.  And of course fail2ban only responds to Asterisk 
log messages, so it does little more than ban the annoying script kiddies.

 

Have a good look at that Voip-Info page and read what actual SIP security 
systems do.  Then compare that to fail2ban and it’s night & day difference.  
People still think fail2ban is a security system, and Digium is very clear that 
it is NOT.

 

 

From: asterisk-users-boun...@lists.digium.com 
<mailto:asterisk-users-boun...@lists.digium.com>  
[mailto:asterisk-users-boun...@lists.digium.com 
<mailto:asterisk-users-boun...@lists.digium.com> ] On Behalf Of Kseniya 
Blashchuk
Sent: Thursday, August 17, 2017 12:41 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion 
<asterisk-users@lists.digium.com <mailto:asterisk-users@lists.digium.com> >
Subject: Re: [asterisk-users] Detecting DoS attacks via SIP

 

Well, correct me if I'm wrong, but I would say this conversation you have 
posted is a bit outdated, now fail2ban can be used with asterisk security log 
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.

 

On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <supp...@telium.ca 
<mailto:supp...@telium.ca> > wrote:

Keep in mind that the attacks you are seeing in the log are ONLY the ones
that Asterisk is detecting and rejecting.  All other attacks aren't even
showing up!

There's a good discussion of how to secure your PBX here:
https://www.voip-info.org/wiki/view/asterisk+security

In general, don't let the malevolent traffic get as far as the PBX (block at
the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
security system: http://forums.asterisk.org/viewtopic.php?p=159984

-Original Message-
From: asterisk-users-boun...@lists.digium.com 
<mailto:asterisk-users-boun...@lists.digium.com> 
[mailto:asterisk-users-boun...@lists.digium.com 
<mailto:asterisk-users-boun...@lists.digium.com> ] On Behalf Of mdiehl
Sent: Tuesday, August 15, 2017 3:38 PM
To: asterisk-users@lists.digium.com <mailto:asterisk-users@lists.digium.com> 
Subject: [asterisk-users] Detecting DoS attacks via SIP

Hi all,

Lately, I've seen an increase in the number of attacks against my system
from the so-called "Friendly Scanner."  When one of these script kiddies
targets my server, all I

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-19 Thread Mike Diehl 
I appreciate the discussion on the question I asked.

I currently listen for failed registration attempts via AMI and
automatically block the offending IP address at the firewall.  I was hoping
to find another AMI event that would be the magic bullet I need, but it
doesn't sound like that's going to happen.

I understand that fail2ban is probably not what I want and probably
wouldn't detect the attacks I'm seeing.

It turns out that not all of the attacks are from the "friendly scanner,"
but enough of them are that it's a good start.

So, I really like the idea of the IP geo location firewall rules coupled
with the "friendly scanner" filter, as provided by a few of you guys.  It
was mentioned that this is a broad hammer, but I'm kinda looking for a
broad hammer! ;^)

Looks like I need to do some research, but I think I have what I need.

Thanks again,

Mike Diehl.

On Sat, Aug 19, 2017 at 4:36 PM, Telium Technical Support <supp...@telium.ca
> wrote:

> I think you missed the point of the Digium post.  Fail2ban can ONLY ban
> IP’s if Asterisk records a failure to register.  Asterisk does not detect
> malformed SIP packets, buffer overflow attacks, suspicious dialing
> patterns, connection attempts outside geofenced areas, use of stolen
> credentials (rapid  ramp of calls using one set of credentials), etc.
>
>
>
> Asterisk only gives you a rudimentary “failed” message for a failure to
> register / wrong credentials.  And of course fail2ban only responds to
> Asterisk log messages, so it does little more than ban the annoying script
> kiddies.
>
>
>
> Have a good look at that Voip-Info page and read what actual SIP security
> systems do.  Then compare that to fail2ban and it’s night & day
> difference.  People still think fail2ban is a security system, and Digium
> is very clear that it is NOT.
>
>
>
>
>
> *From:* asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-
> boun...@lists.digium.com] *On Behalf Of *Kseniya Blashchuk
> *Sent:* Thursday, August 17, 2017 12:41 AM
> *To:* Asterisk Users Mailing List - Non-Commercial Discussion <
> asterisk-users@lists.digium.com>
> *Subject:* Re: [asterisk-users] Detecting DoS attacks via SIP
>
>
>
> Well, correct me if I'm wrong, but I would say this conversation you have
> posted is a bit outdated, now fail2ban can be used with asterisk security
> log https://wiki.asterisk.org/wiki/display/AST/Asterisk+
> Security+Event+Logger.
>
>
>
> On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <supp...@telium.ca>
> wrote:
>
> Keep in mind that the attacks you are seeing in the log are ONLY the ones
> that Asterisk is detecting and rejecting.  All other attacks aren't even
> showing up!
>
> There's a good discussion of how to secure your PBX here:
> https://www.voip-info.org/wiki/view/asterisk+security
>
> In general, don't let the malevolent traffic get as far as the PBX (block
> at
> the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
> security system: http://forums.asterisk.org/viewtopic.php?p=159984
>
> -Original Message-
> From: asterisk-users-boun...@lists.digium.com
> [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mdiehl
> Sent: Tuesday, August 15, 2017 3:38 PM
> To: asterisk-users@lists.digium.com
> Subject: [asterisk-users] Detecting DoS attacks via SIP
>
> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However, I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want watch
> for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>
> Mike Diehl.
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.a

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-19 Thread Telium Technical Support 
I think you missed the point of the Digium post.  Fail2ban can ONLY ban IP’s if 
Asterisk records a failure to register.  Asterisk does not detect malformed SIP 
packets, buffer overflow attacks, suspicious dialing patterns, connection 
attempts outside geofenced areas, use of stolen credentials (rapid  ramp of 
calls using one set of credentials), etc.

 

Asterisk only gives you a rudimentary “failed” message for a failure to 
register / wrong credentials.  And of course fail2ban only responds to Asterisk 
log messages, so it does little more than ban the annoying script kiddies.

 

Have a good look at that Voip-Info page and read what actual SIP security 
systems do.  Then compare that to fail2ban and it’s night & day difference.  
People still think fail2ban is a security system, and Digium is very clear that 
it is NOT.

 

 

From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Kseniya Blashchuk
Sent: Thursday, August 17, 2017 12:41 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion 
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] Detecting DoS attacks via SIP

 

Well, correct me if I'm wrong, but I would say this conversation you have 
posted is a bit outdated, now fail2ban can be used with asterisk security log 
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.

 

On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <supp...@telium.ca 
<mailto:supp...@telium.ca> > wrote:

Keep in mind that the attacks you are seeing in the log are ONLY the ones
that Asterisk is detecting and rejecting.  All other attacks aren't even
showing up!

There's a good discussion of how to secure your PBX here:
https://www.voip-info.org/wiki/view/asterisk+security

In general, don't let the malevolent traffic get as far as the PBX (block at
the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
security system: http://forums.asterisk.org/viewtopic.php?p=159984

-Original Message-
From: asterisk-users-boun...@lists.digium.com 
<mailto:asterisk-users-boun...@lists.digium.com> 
[mailto:asterisk-users-boun...@lists.digium.com 
<mailto:asterisk-users-boun...@lists.digium.com> ] On Behalf Of mdiehl
Sent: Tuesday, August 15, 2017 3:38 PM
To: asterisk-users@lists.digium.com <mailto:asterisk-users@lists.digium.com> 
Subject: [asterisk-users] Detecting DoS attacks via SIP

Hi all,

Lately, I've seen an increase in the number of attacks against my system
from the so-called "Friendly Scanner."  When one of these script kiddies
targets my server, all I see for symptoms is a few of my trunks become
lagged due to server load and a stream of messages on the console that
resemble this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I
can't just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch
for?  I watch for PeerStatus, but since there's no actual peer in the
attack, I don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-17 Thread tirveni yadav 
I shall recommend fail2ban. We have been using fail2ban successfully for
our Asterisk servers (Debian).

Help on using fail2ban with Asterisk server:
https://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk


On Thu, Aug 17, 2017 at 10:10 AM, Kseniya Blashchuk <ksybl...@gmail.com>
wrote:
> Well, correct me if I'm wrong, but I would say this conversation you have
> posted is a bit outdated, now fail2ban can be used with asterisk security
> log
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.
>
>
> On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <supp...@telium.ca>
> wrote:
>>
>> Keep in mind that the attacks you are seeing in the log are ONLY the ones
>> that Asterisk is detecting and rejecting.  All other attacks aren't even
>> showing up!
>>
>> There's a good discussion of how to secure your PBX here:
>> https://www.voip-info.org/wiki/view/asterisk+security
>>
>> In general, don't let the malevolent traffic get as far as the PBX (block
>> at
>> the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
>> security system: http://forums.asterisk.org/viewtopic.php?p=159984
>>
>> -Original Message-
>> From: asterisk-users-boun...@lists.digium.com
>> [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mdiehl
>> Sent: Tuesday, August 15, 2017 3:38 PM
>> To: asterisk-users@lists.digium.com
>> Subject: [asterisk-users] Detecting DoS attacks via SIP
>>
>> Hi all,
>>
>> Lately, I've seen an increase in the number of attacks against my system
>> from the so-called "Friendly Scanner."  When one of these script kiddies
>> targets my server, all I see for symptoms is a few of my trunks become
>> lagged due to server load and a stream of messages on the console that
>> resemble this:
>>
>> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
>> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
>> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
>> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
>> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
>> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
>> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
>> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
>> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>>
>>
>> I have to turn on sip debugging to find out who's hitting me.  However, I
>> can't just leave it on because it would kill my logging system.
>>
>> So, how are other people handling this?  Is there an AMI event I want
>> watch
>> for?  I watch for PeerStatus, but since there's no actual peer in the
>> attack, I don't seem to get an event from AMI.
>>
>> Any ideas?
>>
>> Mike Diehl.
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users



-- 
Regards,

Tirveni Yadav

www.bael.io

What is this Universe ? From what it arises ? Into what does it go?
In freedom it arises, In freedom it rests and into freedom it melts away.
Upanishads.
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-16 Thread Kseniya Blashchuk 
Well, correct me if I'm wrong, but I would say this conversation you have
posted is a bit outdated, now fail2ban can be used with asterisk security
log
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.

On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <supp...@telium.ca>
wrote:

> Keep in mind that the attacks you are seeing in the log are ONLY the ones
> that Asterisk is detecting and rejecting.  All other attacks aren't even
> showing up!
>
> There's a good discussion of how to secure your PBX here:
> https://www.voip-info.org/wiki/view/asterisk+security
>
> In general, don't let the malevolent traffic get as far as the PBX (block
> at
> the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
> security system: http://forums.asterisk.org/viewtopic.php?p=159984
>
> -Original Message-
> From: asterisk-users-boun...@lists.digium.com
> [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mdiehl
> Sent: Tuesday, August 15, 2017 3:38 PM
> To: asterisk-users@lists.digium.com
> Subject: [asterisk-users] Detecting DoS attacks via SIP
>
> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However, I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want watch
> for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>
> Mike Diehl.
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-16 Thread Telium Technical Support 
Keep in mind that the attacks you are seeing in the log are ONLY the ones
that Asterisk is detecting and rejecting.  All other attacks aren't even
showing up!

There's a good discussion of how to secure your PBX here:
https://www.voip-info.org/wiki/view/asterisk+security

In general, don't let the malevolent traffic get as far as the PBX (block at
the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
security system: http://forums.asterisk.org/viewtopic.php?p=159984

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mdiehl
Sent: Tuesday, August 15, 2017 3:38 PM
To: asterisk-users@lists.digium.com
Subject: [asterisk-users] Detecting DoS attacks via SIP

Hi all,

Lately, I've seen an increase in the number of attacks against my system
from the so-called "Friendly Scanner."  When one of these script kiddies
targets my server, all I see for symptoms is a few of my trunks become
lagged due to server load and a stream of messages on the console that
resemble this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I
can't just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch
for?  I watch for PeerStatus, but since there's no actual peer in the
attack, I don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-16 Thread Kseniya Blashchuk 
Hi!
You can also consider using fail2ban but it's more suitable to block
bruteforce attempts.

On Tue, Aug 15, 2017, 11:56 PM Patrick Laimbock 
wrote:

> Hi Mike,
>
> On 15-08-17 21:37, mdiehl wrote:
> > Hi all,
> >
> > Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
> [snip]
> > I have to turn on sip debugging to find out who's hitting me.  However,
> I can't just leave it on because it would kill my logging system.
> >
> > So, how are other people handling this?  Is there an AMI event I want
> watch for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
> >
> > Any ideas?
>
> You can block sipvicious/friendly scanner in iptables with something like:
>
> -A INPUT -p udp --dport 5060 -m string --string "friendly-scanner"
> --algo bm -j DROP
>
> You can also look at xtables with geoip to drop countries (per
> destination port) that should not connect to your Asterisk box. It's a
> big hammer but it works really well.
>
> Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box.
> That's what the telco's/service providers do.
>
> HTH,
> Patrick
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-15 Thread Patrick Laimbock 

Hi Mike,

On 15-08-17 21:37, mdiehl wrote:

Hi all,

Lately, I've seen an increase in the number of attacks against my system from the 
so-called "Friendly Scanner."  When one of these script kiddies targets my 
server, all I see for symptoms is a few of my trunks become lagged due to server load and 
a stream of messages on the console that resemble this:

[snip]

I have to turn on sip debugging to find out who's hitting me.  However, I can't 
just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch 
for?  I watch for PeerStatus, but since there's no actual peer in the attack, I 
don't seem to get an event from AMI.

Any ideas?


You can block sipvicious/friendly scanner in iptables with something like:

-A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" 
--algo bm -j DROP


You can also look at xtables with geoip to drop countries (per 
destination port) that should not connect to your Asterisk box. It's a 
big hammer but it works really well.


Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. 
That's what the telco's/service providers do.


HTH,
Patrick

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-15 Thread Mark Boyce 
Hi Mike

In this case, if it’s coming from friendly scanner why not drop the packets at 
the firewall layer so that Asterisk never sees them?

Mark

> On 15 Aug 2017, at 20:37, mdiehl  wrote:
> 
> Hi all,
> 
> Lately, I've seen an increase in the number of attacks against my system from 
> the so-called "Friendly Scanner."  When one of these script kiddies targets 
> my server, all I see for symptoms is a few of my trunks become lagged due to 
> server load and a stream of messages on the console that resemble this:
> 
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
> 
> 
> I have to turn on sip debugging to find out who's hitting me.  However, I 
> can't just leave it on because it would kill my logging system.
> 
> So, how are other people handling this?  Is there an AMI event I want watch 
> for?  I watch for PeerStatus, but since there's no actual peer in the attack, 
> I don't seem to get an event from AMI.
> 
> Any ideas?
> 
> Mike Diehl.
> 
> -- 
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>  https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Detecting DoS attacks via SIP

2017-08-15 Thread Richard Mudgett 
On Tue, Aug 15, 2017 at 2:37 PM, mdiehl  wrote:

> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However, I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want
> watch for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>

There is an AMI security class that you can use to monitor the AMI security
events.
See manager.conf.sample

Richard
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Detecting DoS attacks via SIP

2017-08-15 Thread mdiehl 
Hi all,

Lately, I've seen an increase in the number of attacks against my system from 
the so-called "Friendly Scanner."  When one of these script kiddies targets my 
server, all I see for symptoms is a few of my trunks become lagged due to 
server load and a stream of messages on the console that resemble this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I can't 
just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch 
for?  I watch for PeerStatus, but since there's no actual peer in the attack, I 
don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users