[asterisk-users] Detecting DoS attacks via SIP

Telium Technical Support support at telium.ca
Sat Aug 19 15:36:03 CDT 2017 

I think you missed the point of the Digium post.  Fail2ban can ONLY ban IP’s if Asterisk records a failure to register.  Asterisk does not detect malformed SIP packets, buffer overflow attacks, suspicious dialing patterns, connection attempts outside geofenced areas, use of stolen credentials (rapid  ramp of calls using one set of credentials), etc.

 

Asterisk only gives you a rudimentary “failed” message for a failure to register / wrong credentials.  And of course fail2ban only responds to Asterisk log messages, so it does little more than ban the annoying script kiddies.

 

Have a good look at that Voip-Info page and read what actual SIP security systems do.  Then compare that to fail2ban and it’s night & day difference.  People still think fail2ban is a security system, and Digium is very clear that it is NOT.

 

 

From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Kseniya Blashchuk
Sent: Thursday, August 17, 2017 12:41 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] Detecting DoS attacks via SIP

 

Well, correct me if I'm wrong, but I would say this conversation you have posted is a bit outdated, now fail2ban can be used with asterisk security log https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.

 

On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <support at telium.ca <mailto:support at telium.ca> > wrote:

Keep in mind that the attacks you are seeing in the log are ONLY the ones
that Asterisk is detecting and rejecting.  All other attacks aren't even
showing up!

There's a good discussion of how to secure your PBX here:
https://www.voip-info.org/wiki/view/asterisk+security

In general, don't let the malevolent traffic get as far as the PBX (block at
the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
security system: http://forums.asterisk.org/viewtopic.php?p=159984

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com <mailto:asterisk-users-bounces at lists.digium.com> 
[mailto:asterisk-users-bounces at lists.digium.com <mailto:asterisk-users-bounces at lists.digium.com> ] On Behalf Of mdiehl
Sent: Tuesday, August 15, 2017 3:38 PM
To: asterisk-users at lists.digium.com <mailto:asterisk-users at lists.digium.com> 
Subject: [asterisk-users] Detecting DoS attacks via SIP

Hi all,

Lately, I've seen an increase in the number of attacks against my system
from the so-called "Friendly Scanner."  When one of these script kiddies
targets my server, all I see for symptoms is a few of my trunks become
lagged due to server load and a stream of messages on the console that
resemble this:

[Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
[Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
[Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
[Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
[Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
[Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
[Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6


I have to turn on sip debugging to find out who's hitting me.  However, I
can't just leave it on because it would kill my logging system.

So, how are other people handling this?  Is there an AMI event I want watch
for?  I watch for PeerStatus, but since there's no actual peer in the
attack, I don't seem to get an event from AMI.

Any ideas?

Mike Diehl.

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170819/bfb7c900/attachment.html>

More information about the asterisk-users mailing list