[asterisk-users] SIP Register DOS attack

Paul Belanger pabelanger at digium.com
Wed Jun 1 12:56:18 CDT 2011


On 11-05-31 06:24 PM, Al lists wrote:
> Hi List
> Recently i have noticed this attack on couple of servers,
> usually a foreign IP starts sending tons of register request without any
> answer to authentication,
> if you type sip show channels in cli you will see tons of these:
> 1.2.3.4      (None)      2389603298   00101/00001  0x0 (nothing)    No
> Rx: REGISTER
>
> since there is no authentication in place, asterisk does not see any failed
> register attempt, so there wont be anything added to log file as failed
> attempt.
> thus fail2ban wont see any activity and wont block the IP.
> it simply brings down the internet link and the box due to too many sip
> channels.
>
Do you have:

sip.conf
[general]
allowguest=no

-- 
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org



More information about the asterisk-users mailing list