[asterisk-users] Hacking attempt, Asterisk 1.4

Brynjolfur Thorvardsson binni at binni.eu
Thu Feb 20 05:27:29 CST 2014 

Hi all

 

We have an Asterisk server that’s been running for a few years now without
problems. We have IPTables running, as well as fail2ban and have followed
all the security recommendations we have found.

 

Every few weeks we get an attack that lasts about a minute or two, resulting
in our AGI script being overloaded. 

 

What happens is that somebody seems to be trying to connect from our server
– in my cdrs log I can see that they use a four digit number for source,
destination and caller id, e.g.

 

clid: 7321

src: 7321

dst: 7321

channel: SIP/xx.xx.xx.xx-aaaaaaaa

 

xx.xx.xx.xx is our server IP. When one of our registered users makes a call
the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP user ID.

 

So it looks like a SIP phone trying to call itself, using our Asterisk
server IP as SIP user name.

 

Within a couple of minutes the attacker seems to go through some 10000
attempts, resulting in our AGI script collapsing from the load. My Asterisk
full log shows something like:

 

    -- Executing [7321 at sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new
stack

    -- Executing [7321 at sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi://
xx.xx.xx.xx ") in new stack

    -- Executing [7321 at sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in
new stack

  == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx
-b6130f70'

       > cdr_odbc: Query Successful!

    -- AGI Script agi:// xx.xx.xx.xx completed, returning 0

 

Our AGI script refuses to call “illegal” numbers, while our Asterisk
dialplan is a bit more accommodating, mostly because I have had problems
figuring out the order in which to put the various rules (I might have
another look at that!)

 

Does anybody know how to stop this from happening – I can’t find the
attackers IP number in my logs, and these attacks happen infrequently, and
are over quickly, so that I haven’t had an opportunity to run sip debug
during an attack, and I don’t want to have it running all the time.

 

Best regards

 

Binni

 

Brynjólfur Þorvarðsson

IT Consultant

Tlf. +45 88321688

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140220/49e50b57/attachment.html>

More information about the asterisk-users mailing list