On 10/15/2010 7:34 AM, Michael Scheidell wrote: > On 10/15/10 6:52 AM, Tony Graziano wrote: >> I am hardened and had no issues. I just found the fact that it is a real >> domain with sip on a subdomain that is not published ANYWHERE until a few >> hours before the attack, which was very limited since I had cps throttled in >> a way that Mitigated it gracefully, which was all in another post. > I would love to get those patches that allow me to use a different port > for sip url calls! > No, it doesn't solve the problem, but will cut down on it. > Your firewall can 'tarpit' anyone (except your ITSP) who hits port 5060 > once you have the ports swapped. > Tarpitting can effectively slow the attack down, limiting the bandwidth > the attacker can use. > Another idea taken from anti-spam systems is the concept of a 'siptrap' > (like a spam trap). Someone hits sip:[email protected] and our sip > system 'pretends' to talk to him. > We might start reporting these ip addresses to dshield.org. The > combination of posts here, and data collected by dshield.org assisted a > couple of security researchers in justifying tracking the Amazon EC2 > Cloud ip addresses which were extensively used in sipvicious attacks a > while back. Amazon saw the correlation and put measures in place to stop > the abuse of their network. (I wonder: someone uses the Amazon cloud to > look for open sip servers in order to commit toll fraud.. I but they > used their own credit card to pay for you, what do you think?) > > Anyway, a collective way to track and maybe block these folks who are > doing this would add to a 'defense in depth' approach to the problem.
I like what you are saying Michael. I believe sipx should have the same type of hooks that any public internet service has like postfix, apache and ssh. A couple of things that come to mind for SIPx: -a better logging of registration or call attempts that fail, so that we can use tools like fail2ban to take the appropriate action. -maybe a delayed response back when the registration user/password or extension are wrong, like ssh -I like the dshield.org idea, I guess that is similar to the dns blacklist lookups that email servers use. -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.biz _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
