[asterisk-dev] auto blacklisting "script kiddies"

Tzafrir Cohen tzafrir.cohen at xorcom.com
Thu Apr 26 07:26:01 MST 2007


On Thu, Apr 26, 2007 at 03:08:19PM +0100, Steve Kennedy wrote:
> Would it not be a good idea if Asterisk would auto-blacklist single IP
> addresses that attempted multiple SIP or other registrations.
> 
> The attacks I've seen seem to be scripted and aren't particularly
> clever, so an auto back-off system or just lock from that IP address
> after a particular number of registration attempts. This could be
> specified as a config variable (as in number of attempts before lock).
> 
> Locked IP's could then be manually unlocked, or unlocked after a time
> period (or in combination, locked wait some time, unlock and if more
> attempts continue, lock for a longer time period etc).
> 
> This isn't going to defeat any kind of serious attack, but would deter
> the script kiddies out there. It also potentially wont work for ITSPs
> etc, but for smaller installs it could be just the solution?

Blocking is better done by the firewall. There are already a number of
programs that adapt firwall or do whatever custom operation based on
certain conditions in the log.

Also: how simple is it to spoof a single packet for the purpose of
banning an IP address? e.g.: me spoofing a false packet from your IP
address to Gizmo.

Are Asterisk's log well-suited for automated parsing by log parsers?

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir


More information about the asterisk-dev mailing list