[asterisk-users] Decoding SIP register hack
seandarcy2 at gmail.com
Fri May 18 13:12:39 CDT 2018
On 05/17/2018 05:29 PM, sean darcy wrote:
> On 05/17/2018 04:47 PM, Daniel Tryba wrote:
>> On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
>>>> WARNING.* .*: fail2ban='<HOST>'
>>>> # Option: ignoreregex
>>>> # Notes.: regex to ignore. If this regex matches, the line is ignored.
>>>> # Values: TEXT
>>>> ignoreregex =
>>> Thanks. Very useful as a tutorial for fail2ban.
>>> But I don't think it covers this SIP hack. This guy isn't trying to
>> His filter doesn't only trigger on REGISTERs, see the last line of the
>> matches and the context for guests (which logs the pattern of the last
>> line of the filter on an INVITE).
> I'm far from a regex expert, but I don't think that last line would
> capture anything in the invite. In fact, asterisk doesn't throw any
> WARNING at all for this INVITE.
> I'm not sure, but I don't even see how you can get asterisk to log these
> invites at all. There's no heading such as WARNING( or NOTICE, SECURITY,
>>> That why I find it puzzling. What is he trying to do ?
>> There are sip servers publicly reachable that will relay INVITEs, make
>> sure yours aren't. And there are only 2 kinds of operators of sip
>> -those that have been the victim of toll fraud
>> -those that will be the victim of toll fraud
>> You can do nothing to stop this kind of traffic. The only thing you can
>> do is block it, either using only a whitelist (cumbersome) or generate a
>> blacklist with for example fail2ban or a more elaborate honeypot setup.
>> Or setup a proxy that will filter patterns you discover from
>> BTW this is not a person, this is an automated script, running most
>> likely on compromised machines and sending spoofed ips. These scripts
>> care about generating a ring on a phone (again most an abuseable/hacked
>> account (or purchased with CC fraud)). If they find a server that does,
>> it will be targetted for all kind of fraud.
> Very interesting.
I found these by staring at sip debug, and tying together the SIP
retransmission id with the INVITE. That was an afternoon! Is there any
way to automate this ? Specifically, find the INVITE that generates the
Otherwise, I can't see how anyone could block these attempts.
> There are sip servers publicly reachable that will relay INVITEs, make
> sure yours aren't.
How do I make sure my server won't relay INVITEs ?
More information about the asterisk-users