[asterisk-users] sip dos question
Kyle Kienapfel
doctor.whom at gmail.com
Thu Jan 20 13:41:11 CST 2011
I understood that option worked the other way around so attacker
thinks peer name is invalid even when they hit a real one.
On Wed, Jan 19, 2011 at 2:23 AM, <adamk at 3a.hu> wrote:
> Hi List,
>
> i've been receiving several sip registration probes in the last month, and
> as this server is a testing site (no external lines, no nothing) i have no
> fail2ban and still not planning to install. Whenever i have nagios telling
> me that there is another 'guest', i go and edit iptables manually and that's
> it.
>
> Recently i discovered that these attacks start with some kind of dictionary,
> and try to guess valid peer names to use one by one. Apparently after
> quarter million tries, they do find a legitim sip peer name and from that
> point they stick to that peer name and the attack continues to guess only
> passwords. Of course, they can not guess passwords like p(F9j43/Qgrhjv*&^3
> so i'm still not worried, but this made me believe that asterisk responds
> differently when probing a valid sip peer name.
>
> So i was wondering through the sip.conf and found 'alwaysauthreject' which
> was set to default (commented out). I now set its value to yes (which i
> thought was the default setting).
>
> Does this setting makes the attacker believe that the first try of sip peer
> name was valid, but only the password was incorrect? So in this case should
> they stick to the first name tried whatever it was?
>
> thanks
> adam
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list