[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

sean darcy seandarcy2 at gmail.com
Tue Jan 2 16:30:05 CST 2018 

On 12/30/2017 08:18 PM, Dovid Bender wrote:
> Script kiddies trying to find vulnerable systems that they can make 
> calls on. Lock down the box with iptables and use fail2ban to block 
> them. The via is probably bogus unless a box at the DoD was comprimised.
> 
> 
> 
> On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com 
> <mailto:seandarcy2 at gmail.com>> wrote:
> 
>     I've been getting a lot of timeouts on non-critical invite
>     transactions. I turned on sip debug. They were the result of SIP
>     invites like this:
> 
>     Retransmitting #10 (NAT) to 185.107.94.10:13057
>     <http://185.107.94.10:13057>:
>     SIP/2.0 401 Unauthorized
>     Via: SIP/2.0/UDP
>     215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
>     From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
>     To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
>     Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
>     CSeq: 1 INVITE
>     Server: Asterisk PBX 13.19.0-rc1
>     Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>     INFO, PUBLISH, MESSAGE
>     Supported: replaces, timer
>     WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
>     nonce="14be1363"
>     Content-Length: 0
> 
>     ---
>       WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout
>     reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1
>     (Non-critical Response) -- See
>     https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
>     <https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions>
>     Packet timed out after 32000ms with no response
>       WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on
>     5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.
> 
>     Looking up the ip addresses :
> 
>     whois 185.107.94.10
>     .............
>     inetnum:        185.107.94.0 - 185.107.94.255
>     netname:        NFORCE_ENTERTAINMENT
>     descr:          Serverhosting
>     ..................
>     organisation:   ORG-NE3-RIPE
>     org-name:       NForce Entertainment B.V.
>     org-type:       LIR
>     address:        Postbus 1142
>     address:        4700BC
>     address:        Roosendaal
>     address:        NETHERLANDS
>     phone: +31206919299 <tel:%2B31206919299>
>     ...................
> 
>     whois 215.45.145.211
>     .................
>     NetRange:       215.0.0.0 - 215.255.255.255
>     CIDR: 215.0.0.0/8 <http://215.0.0.0/8>
>     NetName:        DNIC-NET-215
>     NetHandle:      NET-215-0-0-0-1
>     Parent:          ()
>     NetType:        Direct Assignment
>     OriginAS:
>     Organization:   DoD Network Information Center (DNIC)
>     RegDate:        1998-06-04
>     Updated:        2011-06-21
>     Ref: https://whois.arin.net/rest/net/NET-215-0-0-0-1
>     <https://whois.arin.net/rest/net/NET-215-0-0-0-1>
> 
> 
> 
>     OrgName:        DoD Network Information Center
>     OrgId:          DNIC
>     Address:        3990 E. Broad Street
>     City:           Columbus
>     StateProv:      OH
> 
>     So how is someone on a Dutch ISP using my server to mess with a US
>     DoD ip address ?
> 
> 
>     -- 

I don't see how fail2ban would help. asterisk isn't rejecting anything. 
There's no attempt with username/password.

How could I use iptables to "lock it down" ? We get sip calls from all 
over. Is there something about the incoming packet we could use ? For 
instance , any packet containing a VIA instruction ? For that matter, 
can SIP be configured to drop any VIA request?

sean

More information about the asterisk-users mailing list