Hi, Register attacks are now an epidemy. In most cases they are using the friendly-scanner (svcrack.py) from sipvicious.org. One easy way to block is to check the user agent for the words "friendly-scanner"and drop the packets (an attacker could easily change the user agent, but most of them are just script kiddies). There is a good tutorial in the opensips website on how to use fail2ban to block the IP address of the offenders (I think this is the best long term solution).
http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010 by the user named aseques) In some cases, when the attacker uses an old version of svcrack.py it floods your server. I have received four gigs of traffic in a single day from just one source. There is a small utility from sipvicious.org called svcrash.py capable to crash the attacker sending a malformed packet. I hope it helps, it has been a pain to handle these attacks everyday. In a normal day we are receiving from 4 to 8 attacks from different sources. Best regards, -------------------------------------------------- Flavio E. Goncalves CEO - V.Office Fone: +554830258590/+554884085000 OpenSIPS Bootcamp (Frankfurt Sep 20-24) 2010/11/2 Hung Nguyen <[email protected]>: > Hi every body! > > I have a problem with attacker as following: > > > attack registrar > > register -------------> > register -------------> > ... > register -------------> > > > Attacker send 200 registers/second so registrar server is error. This > is configuration for register method: > > route[2] { > > # ---------------------------------------------------------- > # REGISTER Message Handler > # ---------------------------------------------------------- > > if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) { > setflag(6); > fix_nated_register(); > fix_nated_contact(); > force_rport(); > }; > > if (!radius_www_authorize("abc.com")) { > www_challenge("abc.com", "0"); > exit; > }; > consume_credentials(); > > if (!save("location")) { > sl_reply_error(); > }; > } > > Please help me, > > Thanks. > > Hung > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
