[asterisk-users] sip dos question

adamk at 3a.hu adamk at 3a.hu
Wed Jan 19 03:23:23 CST 2011


Hi List,

i've been receiving several sip registration probes in the last month, 
and as this server is a testing site (no external lines, no nothing) i 
have no fail2ban and still not planning to install.  Whenever i have 
nagios telling me that there is another 'guest', i go and edit iptables 
manually and that's it.

Recently i discovered that these attacks start with some kind of 
dictionary, and try to guess valid peer names to use one by one. 
Apparently after quarter million tries, they do find a legitim sip peer 
name and from that point they stick to that peer name and the attack 
continues to guess only passwords.  Of course, they can not guess 
passwords like p(F9j43/Qgrhjv*&^3 so i'm still not worried, but this 
made me believe that asterisk responds differently when probing a valid 
sip peer name.

So i was wondering through the sip.conf and found 'alwaysauthreject' 
which was set to default (commented out).  I now set its value to yes 
(which i thought was the default setting).

Does this setting makes the attacker believe that the first try of sip 
peer name was valid, but only the password was incorrect?  So in this 
case should they stick to the first name tried whatever it was?

thanks
adam



More information about the asterisk-users mailing list