Re: [asterisk-users] SIP Register DOS attack
I'll check this option and see if it helps next time, just to clarify, there were no actual calls in place, just DOS register attack. On Wed, Jun 1, 2011 at 12:22 PM, Ira i...@extrasensory.com wrote: At 10:56 AM 6/1/2011, you wrote: Do you have: sip.conf [general] allowguest=no So because of this I decided to type sip show channels into my Asterisk and got this: Peer User/ANRCall ID Format Hold Last Message Expiry Peer 216.xxx.69.xxx (None) f2d8db55-0a7edd (nothing) NoRx: OPTIONS guest 216.xxx.69.xxx (None) 2ce0b9a5-6de7f4 (nothing) NoRx: OPTIONS guest 64.xxx.41.xxx6314098389 2a482e4b684a59a (nothing) No guest 192.168.233.xxx (None) ioh3fna2aw.n4mz (nothing) NoRx: REGISTER guest 4 active SIP dialogs I have allowguest=no and all of those IPs are either my providers or a SIP phone on my network so why would it show guest as the peer? I'm running Asterisk SVN-trunk-r319759M if that matters. Ira -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Register DOS attack
Also you guys may need to use: sip.conf [general] allowguest=no *alwaysauthreject = yes* On Thu, Jun 2, 2011 at 1:01 PM, Al lists asteris...@gmail.com wrote: I'll check this option and see if it helps next time, just to clarify, there were no actual calls in place, just DOS register attack. On Wed, Jun 1, 2011 at 12:22 PM, Ira i...@extrasensory.com wrote: At 10:56 AM 6/1/2011, you wrote: Do you have: sip.conf [general] allowguest=no So because of this I decided to type sip show channels into my Asterisk and got this: Peer User/ANRCall ID Format Hold Last Message Expiry Peer 216.xxx.69.xxx (None) f2d8db55-0a7edd (nothing) NoRx: OPTIONS guest 216.xxx.69.xxx (None) 2ce0b9a5-6de7f4 (nothing) NoRx: OPTIONS guest 64.xxx.41.xxx6314098389 2a482e4b684a59a (nothing) No guest 192.168.233.xxx (None) ioh3fna2aw.n4mz (nothing) NoRx: REGISTER guest 4 active SIP dialogs I have allowguest=no and all of those IPs are either my providers or a SIP phone on my network so why would it show guest as the peer? I'm running Asterisk SVN-trunk-r319759M if that matters. Ira -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Abdullah -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Register DOS attack
On 11-05-31 06:24 PM, Al lists wrote: Hi List Recently i have noticed this attack on couple of servers, usually a foreign IP starts sending tons of register request without any answer to authentication, if you type sip show channels in cli you will see tons of these: 1.2.3.4 (None) 2389603298 00101/1 0x0 (nothing)No Rx: REGISTER since there is no authentication in place, asterisk does not see any failed register attempt, so there wont be anything added to log file as failed attempt. thus fail2ban wont see any activity and wont block the IP. it simply brings down the internet link and the box due to too many sip channels. Do you have: sip.conf [general] allowguest=no -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Register DOS attack
At 10:56 AM 6/1/2011, you wrote: Do you have: sip.conf [general] allowguest=no So because of this I decided to type sip show channels into my Asterisk and got this: Peer User/ANR Call ID Format Hold Last Message Expiry Peer 216.xxx.69.xxx (None) f2d8db55-0a7edd (nothing) No Rx: OPTIONS guest 216.xxx.69.xxx (None) 2ce0b9a5-6de7f4 (nothing) No Rx: OPTIONS guest 64.xxx.41.xxx 6314098389 2a482e4b684a59a (nothing) No guest 192.168.233.xxx (None) ioh3fna2aw.n4mz (nothing) No Rx: REGISTER guest 4 active SIP dialogs I have allowguest=no and all of those IPs are either my providers or a SIP phone on my network so why would it show guest as the peer? I'm running Asterisk SVN-trunk-r319759M if that matters. Ira -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] SIP Register DOS attack
Hi List Recently i have noticed this attack on couple of servers, usually a foreign IP starts sending tons of register request without any answer to authentication, if you type sip show channels in cli you will see tons of these: 1.2.3.4 (None) 2389603298 00101/1 0x0 (nothing)No Rx: REGISTER since there is no authentication in place, asterisk does not see any failed register attempt, so there wont be anything added to log file as failed attempt. thus fail2ban wont see any activity and wont block the IP. it simply brings down the internet link and the box due to too many sip channels. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users