Again, that's a different thread. Including the one that identies certain sipua's that are I'd'd as the attack and providing the information for the firewall to pickup...
My post (stop hijacking everyone), relates to obfuscating potential harvestable data used by attackers. That's all, this is something that is hosted at sipfoundry. Also, if you read some of the other posts you'll see a very proactive automated feature that SHOULD be discussed under the correct thread. You will also see the results of the 30 minute attack resulting in 40 invites attempted with no loss of bandwidth, cpu, connections, memory OR latency. Take whatever approach you want, but I simply asked if there was a way to obfuscate sip: uri on the harvestable lists/forums at sipfoundry. The inability to harvest this data is the first step to prevent (as in prevent, mitigate, harden). Obfuscation is technically feasible or not? ============================ Tony Graziano, Manager Telephone: 434.984.8430 Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Fri Oct 15 07:34:01 2010 Subject: Re: [sipx-users] Mailing lists harvested for sip attacks On 10/15/10 6:52 AM, Tony Graziano wrote: > I am hardened and had no issues. I just found the fact that it is a real > domain with sip on a subdomain that is not published ANYWHERE until a few > hours before the attack, which was very limited since I had cps throttled > in > a way that Mitigated it gracefully, which was all in another post. I would love to get those patches that allow me to use a different port for sip url calls! No, it doesn't solve the problem, but will cut down on it. Your firewall can 'tarpit' anyone (except your ITSP) who hits port 5060 once you have the ports swapped. Tarpitting can effectively slow the attack down, limiting the bandwidth the attacker can use. Another idea taken from anti-spam systems is the concept of a 'siptrap' (like a spam trap). Someone hits sip:[email protected] and our sip system 'pretends' to talk to him. We might start reporting these ip addresses to dshield.org. The combination of posts here, and data collected by dshield.org assisted a couple of security researchers in justifying tracking the Amazon EC2 Cloud ip addresses which were extensively used in sipvicious attacks a while back. Amazon saw the correlation and put measures in place to stop the abuse of their network. (I wonder: someone uses the Amazon cloud to look for open sip servers in order to commit toll fraud.. I but they used their own credit card to pay for you, what do you think?) Anyway, a collective way to track and maybe block these folks who are doing this would add to a 'defense in depth' approach to the problem. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
