 SIP DoS Protection |
  |
 Aug 25 2009, 09:30 PM
Post
#1
|
|
|
Advanced Member  Group: Members Posts: 267 Joined: 8-February 08 From: Bloomington, MN Member No.: 384  |
I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable
|
 |
 
|
|
Aug 26 2009, 03:18 AM
Post
#2
|
|
|
Advanced Member Group: Administrators Posts: 849 Joined: 10-November 08 Member No.: 1,554 |
QUOTE (jlumby @ Aug 25 2009, 05:30 PM)  I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable We have some protection (using access lists) against the attacks. We would like to see these malformed messages if you have any. |
|
|
|
|
Aug 26 2009, 06:39 AM
Post
#3
|
|
|
Advanced Member Group: Administrators Posts: 4,361 Joined: 24-January 07 Member No.: 4 |
QUOTE (jlumby @ Aug 25 2009, 05:30 PM) I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable What we have seen are packet storms that register over and over. This can be just a buggy device that just thinks that it should answer a password change with the wrong password over and over or a device that has a problem with the duration of the registration. We also have seen devices that try passwords out (so better don't choose "123" as password!). In any case, in version 4 we now automatically add the source address to the blocked list for one hour (parameters adjustable). That solves this problem. |
|
|
|
|
Sep 1 2009, 10:37 PM
Post
#4
|
|
|
Advanced Member Group: Members Posts: 267 Joined: 8-February 08 From: Bloomington, MN Member No.: 384 |
One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32)
Attached File(s)
|
|
|
|
|
Sep 2 2009, 07:37 AM
Post
#5
|
|
|
Advanced Member Group: Administrators Posts: 4,361 Joined: 24-January 07 Member No.: 4 |
QUOTE (jlumby @ Sep 1 2009, 05:37 PM) One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32) Yea, in version 4 this fiendly scanner will do this 10 times then the PBX will block the traffic. Of course, one problem remains. The packets take a lot of bandwidth and if your link is "slow" then other valid requests might be dropped. Maybe you should contact roxfarma.com.pe for a statement as the IP address resolves like this:
|
|
|
|
|
Sep 11 2009, 12:06 AM
Post
#6
|
|
|
Advanced Member Group: Members Posts: 503 Joined: 18-December 08 From: NJ - USA Member No.: 1,999 |
our 4.0 server also got attacked by the SAME IP
after 5 attempts the PBX DID in fact block out that IP -------------------- If your not going to ask, you will never learn!
|
|
|
|
|
Nov 10 2009, 05:07 AM
Post
#7
|
|
 Advanced Member Group: Members Posts: 848 Joined: 25-January 07 Member No.: 17 |
I though this was a part of 3.4..?
We are having asterisk scanners hit us all the time looking for blank SIP passwords. --------------------  |
|
|
|
|
Jan 11 2010, 07:20 PM
Post
#8
|
|
|
Advanced Member Group: Members Posts: 267 Joined: 8-February 08 From: Bloomington, MN Member No.: 384 |
I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above
|
|
|
|
|
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 3rd September 2010 - 05:15 AM |