[asterisk-users] Playing with sipvicious ..
Gordon Henderson
gordon+asterisk at drogon.net
Wed Aug 18 11:10:00 CDT 2010
... using it as a tool and understanding what it does...
So one part of it's toolset identifys valid SIP accounts - and I was under
the impression that alwaysauthreject=yes was supposed to stop this...
However, it sends a request for a highly probably non-existent account,
then sends requests for probably existing accounts and I guess compares
the results - account not found vs. bad username or password... It thus
trivially, and very quickly finds valid accounts when fed with a list of
accounts to try in the first place (e.g. 100-999, or 1000-9999, etc.)
I wonder if it's time to introduce yet another parameter to it - which
will cause asterisk to return the same error code for all 3 conditions -
and return the "not found" error, even on bad username or password.
It breaks the RFC even more, but might it be worth it?
(I've just had 30GB of sipvicious traffic sent to my hosted servers in a
12-hour period - it came from what looked like a VPS host in France -
trivially firewalled out, but even dropping the packets didn't stop the
flood! It's so badly written it appears to just ignore any return codes
that it doesn't want, or even no returns at all!)
Gordon
More information about the asterisk-users
mailing list