[asterisk-users] Detecting DoS attacks via SIP

Sat Aug 19 22:54:02 CDT 2017

I appreciate the discussion on the question I asked.

I currently listen for failed registration attempts via AMI and
automatically block the offending IP address at the firewall.  I was hoping
to find another AMI event that would be the magic bullet I need, but it
doesn't sound like that's going to happen.

I understand that fail2ban is probably not what I want and probably
wouldn't detect the attacks I'm seeing.

It turns out that not all of the attacks are from the "friendly scanner,"
but enough of them are that it's a good start.

So, I really like the idea of the IP geo location firewall rules coupled
with the "friendly scanner" filter, as provided by a few of you guys.  It
was mentioned that this is a broad hammer, but I'm kinda looking for a
broad hammer! ;^)

Looks like I need to do some research, but I think I have what I need.

Thanks again,

Mike Diehl.

On Sat, Aug 19, 2017 at 4:36 PM, Telium Technical Support <support at telium.ca
> wrote:

> I think you missed the point of the Digium post.  Fail2ban can ONLY ban
> IP’s if Asterisk records a failure to register.  Asterisk does not detect
> malformed SIP packets, buffer overflow attacks, suspicious dialing
> patterns, connection attempts outside geofenced areas, use of stolen
> credentials (rapid  ramp of calls using one set of credentials), etc.
>
>
>
> Asterisk only gives you a rudimentary “failed” message for a failure to
> register / wrong credentials.  And of course fail2ban only responds to
> Asterisk log messages, so it does little more than ban the annoying script
> kiddies.
>
>
>
> Have a good look at that Voip-Info page and read what actual SIP security
> systems do.  Then compare that to fail2ban and it’s night & day
> difference.  People still think fail2ban is a security system, and Digium
> is very clear that it is NOT.
>
>
>
>
>
> *From:* asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
> bounces at lists.digium.com] *On Behalf Of *Kseniya Blashchuk
> *Sent:* Thursday, August 17, 2017 12:41 AM
> *To:* Asterisk Users Mailing List - Non-Commercial Discussion <
> asterisk-users at lists.digium.com>
> *Subject:* Re: [asterisk-users] Detecting DoS attacks via SIP
>
>
>
> Well, correct me if I'm wrong, but I would say this conversation you have
> posted is a bit outdated, now fail2ban can be used with asterisk security
> log https://wiki.asterisk.org/wiki/display/AST/Asterisk+
> Security+Event+Logger.
>
>
>
> On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <support at telium.ca>
> wrote:
>
> Keep in mind that the attacks you are seeing in the log are ONLY the ones
> that Asterisk is detecting and rejecting.  All other attacks aren't even
> showing up!
>
> There's a good discussion of how to secure your PBX here:
> https://www.voip-info.org/wiki/view/asterisk+security
>
> In general, don't let the malevolent traffic get as far as the PBX (block
> at
> the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
> security system: http://forums.asterisk.org/viewtopic.php?p=159984
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mdiehl
> Sent: Tuesday, August 15, 2017 3:38 PM
> To: asterisk-users at lists.digium.com
> Subject: [asterisk-users] Detecting DoS attacks via SIP
>
> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However, I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want watch
> for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>
> Mike Diehl.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170819/ea8a2094/attachment.html>