Hi Flavio, How did you originally detect these register attacks? Are you using the pike module or notice them some other way?
Thanks, Kennard On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves <[email protected]>wrote: > Hi, > > Register attacks are now an epidemy. In most cases they are using the > friendly-scanner (svcrack.py) from sipvicious.org. One easy way to > block is to check the user agent for the words "friendly-scanner"and > drop the packets (an attacker could easily change the user agent, but > most of them are just script kiddies). There is a good tutorial in the > opensips website on how to use fail2ban to block the IP address of the > offenders (I think this is the best long term solution). > > http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010 > by the user named aseques) > > In some cases, when the attacker uses an old version of svcrack.py it > floods your server. I have received four gigs of traffic in a single > day from just one source. There is a small utility from sipvicious.org > called svcrash.py capable to crash the attacker sending a malformed > packet. > > I hope it helps, it has been a pain to handle these attacks everyday. > In a normal day we are receiving from 4 to 8 attacks from different > sources. > > Best regards, > > -------------------------------------------------- > Flavio E. Goncalves > CEO - V.Office > Fone: +554830258590/+554884085000 > OpenSIPS Bootcamp (Frankfurt Sep 20-24) > > > > > 2010/11/2 Hung Nguyen <[email protected]>: > > Hi every body! > > > > I have a problem with attacker as following: > > > > > > attack registrar > > > > register -------------> > > register -------------> > > ... > > register -------------> > > > > > > Attacker send 200 registers/second so registrar server is error. This > > is configuration for register method: > > > > route[2] { > > > > # ---------------------------------------------------------- > > # REGISTER Message Handler > > # ---------------------------------------------------------- > > > > if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) { > > setflag(6); > > fix_nated_register(); > > fix_nated_contact(); > > force_rport(); > > }; > > > > if (!radius_www_authorize("abc.com")) { > > www_challenge("abc.com", "0"); > > exit; > > }; > > consume_credentials(); > > > > if (!save("location")) { > > sl_reply_error(); > > }; > > } > > > > Please help me, > > > > Thanks. > > > > Hung > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
