[asterisk-users] SIP Blacklisting

[Jeff LaCoursiere]

On Thu, 21 Oct 2010, Steve Howes wrote:

> Hi,
>
> Given the recent increase in SIP brute force attacks, I've had a little 
> idea.
>
> The standard scripts that block after X attempts work well to prevent 
> you actually being compromised, but once you've been 'found' then the 
> attempts seem to keep coming for quite some time. Older versions of 
> sipvicious don't appear to stop once you start sending un-reachables (or 
> straight drops). Now this isn't a problem for Asterisk, but it does add 
> up in (noticeable) bandwidth costs - and for people running on lower 
> bandwidth connections. The tool to crash sipvicious can help this, but 
> very few attackers seem to obey it..
>
> The only way I can see to alleviate this, is to blacklist hows *before* 
> they attack. This means you wont ever be targeted past an initial scan.
>
> Is there any interest in a 'shared' blacklist (similar to spam 
> blacklists, but obviously implemented in a way that is more usable with 
> Asterisk/iptables)?. Clearly it raises issues about false positives etc, 
> but requiring reports from more than X hosts should alleviate this. 
> There's all the usual de-listing / false-listing worries as with any 
> blacklist, but the SMTP world has solutions we could learn from.
>
> Leaving a 'honeypot' running on a single IP address has revealed a few 
> hundred addresses in less than a month. I am fairly certain these are 
> all 'bad' as this host isn't used for anything else. There is obviously 
> a wealth of data (and attacks) out there that would be good to share.
>
> Anyone have any thoughts?
>
> S
> --

I'll subscribe, that is for sure.  What is the best way to dist the 
blacklist?  iptables include file?  Or something more integrated to 
asterisk... just thinking off the top of my head that a module that vetted 
inbound connections against an external list would be a very cool thing.

j