[asterisk-users] SIP flood attacK

Paul Hayes paul at provu.co.uk
Tue Oct 5 11:26:57 CDT 2010


On 03/10/10 21:19, Greg Saunders wrote:
> Hello all. I was recently the victim of a SIP flood attack. I'm
> wondering what is the best method to prevent such things in the future.
> Many thanks
> Greg
>

do one of the following:

- use deny & permit lines in sip.conf &/or iax.conf to restrict any 
remote Registrations from known IP address ranges only.  Or use iptables 
rules to do something similar.

- use a log scanning tool such as fail2ban or ossec which can react on 
multiple registration fails and block ip addresses in iptables

- enforce strict password policy on all users on the system

I think simply relying on alwaysauthreject is very dangerous as it's 
only a matter of time before the attackers catch on to this and carry on 
attacking regardless.  Sure there's less chance of them getting a 
correct username/secret combination but in the meantime, the register 
attempts are practically a DoS attack.  Plus that setting further breaks 
the SIP RFC.

I also think that assuming that the attackers will eventually get in one 
way or another is wise.  So put in place appropriate measures to limit 
the damage they can do (daily spend limits with SIP providers, blocking 
international and/or premium rate numbers etc...).

cheers,
Paul.



More information about the asterisk-users mailing list