I also think that whatever port you run your proxy on, it won't matter. If the script you are being attacked with harvests a sip uri, it can easily do a SRV lookup and run an automated attack against you.
Changing the port for the proxy is going to offer some protection, but since srv (like mx) are resolved to lookup the hostname/prefernce, SIP also provides PORT... ============================ Tony Graziano, Manager Telephone: 434.984.8430 Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Fri Oct 15 07:34:01 2010 Subject: Re: [sipx-users] Mailing lists harvested for sip attacks On 10/15/10 6:52 AM, Tony Graziano wrote: > I am hardened and had no issues. I just found the fact that it is a real > domain with sip on a subdomain that is not published ANYWHERE until a few > hours before the attack, which was very limited since I had cps throttled > in > a way that Mitigated it gracefully, which was all in another post. I would love to get those patches that allow me to use a different port for sip url calls! No, it doesn't solve the problem, but will cut down on it. Your firewall can 'tarpit' anyone (except your ITSP) who hits port 5060 once you have the ports swapped. Tarpitting can effectively slow the attack down, limiting the bandwidth the attacker can use. Another idea taken from anti-spam systems is the concept of a 'siptrap' (like a spam trap). Someone hits sip:[email protected] and our sip system 'pretends' to talk to him. We might start reporting these ip addresses to dshield.org. The combination of posts here, and data collected by dshield.org assisted a couple of security researchers in justifying tracking the Amazon EC2 Cloud ip addresses which were extensively used in sipvicious attacks a while back. Amazon saw the correlation and put measures in place to stop the abuse of their network. (I wonder: someone uses the Amazon cloud to look for open sip servers in order to commit toll fraud.. I but they used their own credit card to pay for you, what do you think?) Anyway, a collective way to track and maybe block these folks who are doing this would add to a 'defense in depth' approach to the problem. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
