[asterisk-bugs] [Asterisk 0018051]: SIP brute force attemps having a DoS effect

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Dec 9 16:00:33 CST 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=18051 
====================================================================== 
Reported By:                eeman
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   18051
Category:                   Channels/chan_sip/General
Reproducibility:            have not tried
Severity:                   major
Priority:                   normal
Status:                     feedback
Asterisk Version:           SVN 
JIRA:                       SWP-2343 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-09-24 19:00 CDT
Last Modified:              2010-12-09 16:00 CST
====================================================================== 
Summary:                    SIP brute force attemps having a DoS effect
Description: 
We've all seen the brute force attempts where a script blasts asterisk with
thousands of attempts to learn valid accounts

example:
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9941"<sip:9941 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9942"<sip:9942 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9943"<sip:9943 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found
[Sep 24 15:46:51] NOTICE[19686] chan_sip.c: Registration from
'"9944"<sip:9944 at 1.2.3.4>' failed for '81.31.148.109' - No matching peer
found

this seems to be having a second effect of creating a DoS attack on
inbound calls. It seems that the instigating attacker's IP finds its way
into legitimate SIP messages as the Contact: url. The result is the ACK
messages to the corresponding 200 messages are sent instead to this IP.
Observe the Contact header in this simple ACK message (i sanitized the IP
addresses except for the script running ass; he can get his own DoS from
this post for all i care):

rUJy`\=EX+U.HFE at SIP/2.0 200 OK
Via: SIP/2.0/UDP
4.3.2.1:5060;branch=z9hG4bK78126bc7;received=4.3.2.1;rport=5060
From: "BLUEGRASSNET" <sip:+18598064913 at 4.3.2.1>;tag=as684e24f7
To: <sip:+18129442733 at 1.2.3.4>;tag=as52fe0a2e
Call-ID: 4544269969f074577549d403673538de at 4.3.2.1
CSeq: 103 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact: <sip:+18129442733 at 81.31.148.109>
Content-Type: application/sdp
Content-Length: 211

v=0
o=root 19653 19653 IN IP4 1.2.3.4
s=session
c=IN IP4 1.2.3.4
t=0 0
m=audio 14936 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

as a result the ACK messages and BYE messages get sent to an IP
81.31.148.109 in the RIPE number space. 
====================================================================== 

---------------------------------------------------------------------- 
 (0129515) svnbot (reporter) - 2010-12-09 16:00
 https://issues.asterisk.org/view.php?id=18051#c129515 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 297959

U   branches/1.4/channels/chan_sip.c

------------------------------------------------------------------------
r297959 | twilson | 2010-12-09 16:00:31 -0600 (Thu, 09 Dec 2010) | 14
lines

Ignore spurious REGISTER requests

If a REGISTER request with a Call-ID matching an existing transaction is
received
it was possible that the REGISTER request would overwrite the initreq of
the
private structure. This info is used to generate messages for other
responses in
the transaction. This patch ignores REGISTER requests that match
non-REGISTER
transactions.

(closes issue https://issues.asterisk.org/view.php?id=18051)
Reported by: eeman
Tested by: twilson

Review: https://reviewboard.asterisk.org/r/1050/

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=297959 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-12-09 16:00 svnbot         Checkin                                      
2010-12-09 16:00 svnbot         Note Added: 0129515                          
======================================================================




More information about the asterisk-bugs mailing list