[asterisk-users] Playing with sipvicious ..

Gordon Henderson gordon+asterisk at drogon.net
Thu Aug 19 07:11:55 CDT 2010

On Thu, 19 Aug 2010, Dana Harding wrote:

>> (I've just had 30GB of sipvicious traffic sent to my hosted servers in a
>> 12-hour period - it came from what looked like a VPS host in France -
>> trivially firewalled out, but even dropping the packets didn't stop the
>> flood! It's so badly written it appears to just ignore any return codes
>> that it doesn't want, or even no returns at all!)
> http://blog.sipvicious.org/2010/06/how-to-crash-sipvicious-introducing.html
> It looks like it has been updated so that (with the newer version) this
> won't happen.

I doubt the new version will filter through for some months. People have a 
tool that appears to work for them, so they'll keep on using it.

> I think that fail2ban or equivalent could be used to block the offending
> IP,  and also execute the provided svcrash.py which will send it's one
> packet - possibly (if the attacker is using the older sipvicious)
> stopping the traffic.

To use svcrash, you need to identify the source port - and how many of the 
millions of people who're running asterisk via trixbox, innaflash, now, 
etc. actually know how to do that? (let alone get the SV sources and work 
out how to run them)

> Of course that won't help if the attacker is not using sipvicious and
> the other tool also ignores a lack of response.



More information about the asterisk-users mailing list