[asterisk-users] SIP Blacklisting
Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
Always start here... http://www.spamhaus.org/drop/ If the AS is stolen, you can block the network and never have to worry about it... ~ Andrew lathama Latham lath...@gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Thu, Oct 21, 2010 at 12:41 PM, Steve Howes steve-li...@geekinter.net wrote: Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On Thu, 21 Oct 2010, Steve Howes wrote: Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S -- I'll subscribe, that is for sure. What is the best way to dist the blacklist? iptables include file? Or something more integrated to asterisk... just thinking off the top of my head that a module that vetted inbound connections against an external list would be a very cool thing. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
With CRON or as an init.d you can do many things... http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#116 ~ Andrew lathama Latham lath...@gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Thu, Oct 21, 2010 at 12:54 PM, Jeff LaCoursiere j...@sunfone.com wrote: On Thu, 21 Oct 2010, Steve Howes wrote: Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S -- I'll subscribe, that is for sure. What is the best way to dist the blacklist? iptables include file? Or something more integrated to asterisk... just thinking off the top of my head that a module that vetted inbound connections against an external list would be a very cool thing. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
I was thinking on the same lines, i.e. setup a server which will be regularly updated with these bad IP addresses, and anybody looking to block bad IPs will be able to get this list from here. For example when I get mail from Fail2Ban (which I am getting more and more everyday now), a copy would be sent to this server with the updated bad IP address. But the problem is how to make sure that only legitimate users are contributing to this list. Contributors to this list somehow need to verify to an admin that they are not hackers, and this the hard part. Zeeshan A Zakaria -- www.ilovetovoip.com On 2010-10-21 11:46 AM, Steve Howes steve-li...@geekinter.net wrote: Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On 21 Oct 2010, at 16:54, Jeff LaCoursiere wrote: I'll subscribe, that is for sure. What is the best way to dist the blacklist? iptables include file? Or something more integrated to asterisk... just thinking off the top of my head that a module that vetted inbound connections against an external list would be a very cool thing. I was thinking some sort of script to pull via HTTP to update whatever you wanted (output as iptables etc). I know its not an instant 'lookup', but an hour delay between updates is nothing. Also means whoever is running the server isn't getting hammered by everyone ;) Realtime lookups from Asterisk would be quite a load (and would introduce latency). S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
We would be interested. Spam is a harder problem to fight due to volume and the ability of any idiot to set up free email accounts. But anyone blasting SIP systems is a pure commercial crook. Tagging and strangling them should be a clear cut project. Cary Fitch -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Steve Howes Sent: Thursday, October 21, 2010 10:41 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] SIP Blacklisting Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight drops). Now this isn't a problem for Asterisk, but it does add up in (noticeable) bandwidth costs - and for people running on lower bandwidth connections. The tool to crash sipvicious can help this, but very few attackers seem to obey it.. The only way I can see to alleviate this, is to blacklist hows *before* they attack. This means you wont ever be targeted past an initial scan. Is there any interest in a 'shared' blacklist (similar to spam blacklists, but obviously implemented in a way that is more usable with Asterisk/iptables)?. Clearly it raises issues about false positives etc, but requiring reports from more than X hosts should alleviate this. There's all the usual de-listing / false-listing worries as with any blacklist, but the SMTP world has solutions we could learn from. Leaving a 'honeypot' running on a single IP address has revealed a few hundred addresses in less than a month. I am fairly certain these are all 'bad' as this host isn't used for anything else. There is obviously a wealth of data (and attacks) out there that would be good to share. Anyone have any thoughts? S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On Thu, 21 Oct 2010, Andrew Latham wrote: Always start here... http://www.spamhaus.org/drop/ If the AS is stolen, you can block the network and never have to worry about it... ~ Andrew lathama Latham lath...@gmail.com I guess you are assuming that spam networks should be included in the blacklist by default? I'm not sure that is a good assumption. Some of my customer netblocks have ended up on spam lists unknowingly (by leaving open SMTP servers for example), and if that had affected their ability to place phone calls also it would have been disastrous. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On 10/21/10 12:07 PM, Steve Howes steve-li...@geekinter.net wrote: On 21 Oct 2010, at 16:54, Jeff LaCoursiere wrote: I'll subscribe, that is for sure. What is the best way to dist the blacklist? iptables include file? Or something more integrated to asterisk... just thinking off the top of my head that a module that vetted inbound connections against an external list would be a very cool thing. I was thinking some sort of script to pull via HTTP to update whatever you wanted (output as iptables etc). I know its not an instant 'lookup', but an hour delay between updates is nothing. Also means whoever is running the server isn't getting hammered by everyone ;) Realtime lookups from Asterisk would be quite a load (and would introduce latency). I would think DNS would be the best way. Querying it in real shouldn't be a problem and the zone could be replicated to a local server if need be. -Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On 21 Oct 2010, at 17:03, Zeeshan Zakaria wrote: But the problem is how to make sure that only legitimate users are contributing to this list. Contributors to this list somehow need to verify to an admin that they are not hackers, and this the hard part. I was thinking of having a threshold of number of people reporting an address before it's approved (perhaps from X countries to stop someone with their own subnet abusing it). Clearly it's not an easy thing to guarantee, but a 'report false positive' with human intervention at this point might be useful. S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On Thu, 21 Oct 2010, Steve Howes wrote: On 21 Oct 2010, at 16:54, Jeff LaCoursiere wrote: I'll subscribe, that is for sure. What is the best way to dist the blacklist? iptables include file? Or something more integrated to asterisk... just thinking off the top of my head that a module that vetted inbound connections against an external list would be a very cool thing. I was thinking some sort of script to pull via HTTP to update whatever you wanted (output as iptables etc). I know its not an instant 'lookup', but an hour delay between updates is nothing. Also means whoever is running the server isn't getting hammered by everyone ;) Realtime lookups from Asterisk would be quite a load (and would introduce latency). S -- I agree in principle - some cron job pulling the list by http would certainly be simple. But just to continue my thoughts to the brick wall, I don't see a lookup adding latency to the call other than what should be a very brief addition to the time taken for a call to be accepted. Once accepted you would just continue to accept the packets. How about something DNS based? Load could potentially be distributed that way if a number of people agreed to participate. I'll mull this over a bit more. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
On 21 Oct 2010, at 17:32, Jeff LaCoursiere wrote: I agree in principle - some cron job pulling the list by http would certainly be simple. But just to continue my thoughts to the brick wall, I don't see a lookup adding latency to the call other than what should be a very brief addition to the time taken for a call to be accepted. Yea that's what I was referring to. Say some evil people attacked the server, you could add a few second delay to someone's call setup. I know it's not a major problem but it might just be opening another attack vector. Once accepted you would just continue to accept the packets. How about something DNS based? Load could potentially be distributed that way if a number of people agreed to participate. I'll mull this over a bit more. DNS is a possibility. It would require an Asterisk module I guess. There's nothing saying we could publish the same data in multiple ways (store it in SQL somewhere and output files to HTTP and generated zone files for bind to pick up). S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Blacklisting
Always start here... http://www.spamhaus.org/drop/ If the AS is stolen, you can block the network and never have to worry about it... I guess you are assuming that spam networks should be included in the blacklist by default? I'm not sure that is a good assumption. Some of my customer netblocks have ended up on spam lists unknowingly (by leaving open SMTP servers for example), and if that had affected their ability to place phone calls also it would have been disastrous. j Take TWO minutes and read http://www.spamhaus.org/drop/ . Add some items to your BGP route lists and smile at the decrease in traffic. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users