[asterisk-users] Decoding SIP register hack

sean darcy seandarcy2 at gmail.com
Fri May 18 13:12:39 CDT 2018 

On 05/17/2018 05:29 PM, sean darcy wrote:
> On 05/17/2018 04:47 PM, Daniel Tryba wrote:
>> On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
>>>>         WARNING.* .*: fail2ban='<HOST>'
>>>>
>>>> # Option:  ignoreregex
>>>> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
>>>> # Values:  TEXT
>>>> #
>>>> ignoreregex =
>>>>
>>>>
>>> Thanks. Very useful as a tutorial for fail2ban.
>>>
>>> But I don't think it covers this SIP hack. This guy isn't trying to
>>> register.
>>
>> His filter doesn't only trigger on REGISTERs, see the last line of the
>> matches and the context for guests (which logs the pattern of the last
>> line of the filter on an INVITE).
>>
> 
> I'm far from a regex expert, but I don't think that last line would 
> capture anything in the invite. In fact, asterisk doesn't throw any 
> WARNING at all for this INVITE.
> 
> I'm not sure, but I don't even see how you can get asterisk to log these 
> invites at all. There's no heading such as WARNING( or NOTICE, SECURITY, 
> etc).
> 
>>>   That why I find it puzzling. What is he trying to do ?
>>
>> There are sip servers publicly reachable that will relay INVITEs, make
>> sure yours aren't. And there are only 2 kinds of operators of sip
>> server:
>> -those that have been the victim of toll fraud
>> -those that will be the victim of toll fraud
>>
>> You can do nothing to stop this kind of traffic. The only thing you can
>> do is block it, either using only a whitelist (cumbersome) or generate a
>> blacklist with for example fail2ban or a more elaborate honeypot setup.
>> Or setup a proxy that will filter patterns you discover from
>>
>> BTW this is not a person, this is an automated script, running most
>> likely on compromised machines and sending spoofed ips. These scripts
>> care about generating a ring on a phone (again most an abuseable/hacked
>> account (or purchased with CC fraud)). If they find a server that does,
>> it will be targetted for all kind of fraud.
>>
> 
> Very interesting.
> 
> sen
> 
> 
> 


I found these by staring at sip debug, and tying together the SIP 
retransmission id with the INVITE. That was an afternoon! Is there any 
way to automate this ? Specifically, find the INVITE that generates the 
retransmission ?

Otherwise, I can't see how anyone could block these attempts.

 > There are sip servers publicly reachable that will relay INVITEs, make
 > sure yours aren't.

How do I make sure my server won't relay INVITEs ?

sean

More information about the asterisk-users mailing list