[asterisk-bugs] [JIRA] Commented: (ASTERISK-20506) chan_sip not reporting attacker IP

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Oct 3 08:33:27 CDT 2012 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=197885#comment-197885 ] 

Matt Jordan commented on ASTERISK-20506:
----------------------------------------

This issue is already fixed in Asterisk 10+ by including the appropriate message in the Security Event Framework.

This has been a contentious issue, and I understand that the fact that the log message has not been changed in Asterisk 1.8 is a point of frustration.  As Walter pointed out on ASTERISK-19348, there are limiting factors in Asterisk 1.8 that prevent us from being able to conclusively provide the IP address of the attacker:

{quote}
As an aside:

chan_sip.c: NOTICE[xxxxx]: Call attempt was made from SPOOFED SOURCE IP: x.x.x.x with TRUE SOURCE IP: x.x.x.x

There are so many IP addresses in a packet, and none of them qualifies as the "spoofed source IP". Relevant IPs for a request would probably be: VIA_SENT_BY_IP (from the top Via header) and APPARENT_SOURCE_IP (from the socket layer), where the latter can still be easily spoofed in many cases (see UDP spoofing).

Pavel Troller already mentioned that in the mailing list:

> In that case maybe Asterisk can pull the IP from network layer of the OS?!
Of course it can, but please be informed, that at least on systems I'm
running, a lot of attacks are done with spoofed source IP addresses
{quote}

I'm open to discussing this again with anyone who cares to address the points listed above.

> chan_sip not reporting attacker IP
> ----------------------------------
>
>                 Key: ASTERISK-20506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.15.1
>         Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
>            Reporter: MBH
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list