Right. I limit the exposure with limiting the connections per second to port 5060, which does offer some protection, but yes, I'd like to be able to see a "funky" UA in a specific log file and be able to to more... like an automated sipvicous crash targeted against the IP using that UA...
It has been suggested using SNMP to gather that data on sipx, but fail2ban is a log parser. So sipx needs to be able to log the data "judiciously" so it is not competing for resources for disk i/o. So when it sees "xx' failures of a certain tyoe, it should log the information so it can be harvested. On Mon, Sep 27, 2010 at 11:11 AM, Todd Hodgen <[email protected]> wrote: > Currently, someone has taken sipvicious and deployed it on bots that try > to authenticate to user sipsscuser. It does need to be stopped at the > firewall, and in one of my customer sites it is. However, there are reports > of sites that get hit so hard that it creates the equivalent of a Denial of > Service attach. > > Fail2ban is one approach that is used to control these attacks. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Joegen Baclor > *Sent:* Monday, September 27, 2010 4:18 AM > *To:* sipXecs developer discussions > *Subject:* Re: [sipx-dev] ability to deny based on UA > > > > IMHO, deny based on UA versus deny based on credentials won't give you much > of a defense against a DOS attack. The only difference between deny by IP > against deny by credentials is it requires two transactions for a deny by > credential to reject the request. Thus it is safe to say that if 1000 > REGISTERS brings down a system where it denies by credential, it would take > double that amount to bring it down if it decides to deny based on IP and I > don't think there won't be any shortage of transactions a DOS attacker can > spawn :-). This is a firewall role. > > On Monday, 27 September, 2010 06:13 PM, Tony Graziano wrote: > > Is there a way to add a functionality to filter SIP messages based on the > Via headers IP address or names? This would be to make the information > available to a firewall or other script as a measure to identify or protect > against a dos attack. > > > > If an attack was to send an invite or register using a brute force attack > to attemt to register thousands of times in a very short preiod, it would be > nice to have a detection and limited protection mechanism. > > > -- > ====================== > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.984.8431 > > Email: [email protected] > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected] > Fax: 434.984.8427 > > Helpdesk Contract Customers: > http://www.myitdepartment.net/gethelp/ > > Why do mathematicians always confuse Halloween and Christmas? > Because 31 Oct = 25 Dec. > > > > > > _______________________________________________ > > sipx-dev mailing list > > [email protected] > > List Archive: http://list.sipfoundry.org/archive/sipx-dev/ > > > > _______________________________________________ > sipx-dev mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-dev/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec.
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
