SIP flood attacK

Home » Asterisk Users » SIP flood attacK
Asterisk Users 6 Comments

Hello all. I was recently the victim of a SIP flood attack. I’m wondering
what is the best method to prevent such things in the future.
Many thanks
Greg

6 thoughts on - SIP flood attacK

  • Make sure you have allowguest=no in your sip.conf, the default is yes,
    unless you really do want anonymous guests.

    Also it might pay to consider
    http://www.emergingthreats.net/index.php/rules-mainmenu-38.html

    Alec Davis

    _____

    href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com
    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Greg Saunders
    Sent: Monday, 4 October 2010 9:20 a.m.
    href=”mailto:asterisk-users@lists.digium.com”>asterisk-users@lists.digium.com

    Hello all. I was recently the victim of a SIP flood attack. I’m wondering
    what is the best method to prevent such things in the future.
    Many thanks
    Greg

  • In sip.conf:
    [general]
    alwaysauthreject = yes

    The attacking program is probably svwar.py (part of SIPVicious). It
    will give up as soon as it realizes it can’t tell the difference
    between attempting to register an invalid extension and a valid one
    (with an arbitrary password).

    It’s the default in 1.8, but the option goes back at least to 1.4.

  • actually same thing happened to us a year ago (under asterisk 1.2) we solved
    the same day discovered by putting both:

    allowguest=no
    alwaysauthreject = yes

  • do one of the following:

    remote Registrations from known IP address ranges only. Or use iptables
    rules to do something similar.

    multiple registration fails and block ip addresses in iptables

    – enforce strict password policy on all users on the system

    I think simply relying on alwaysauthreject is very dangerous as it’s
    only a matter of time before the attackers catch on to this and carry on
    attacking regardless. Sure there’s less chance of them getting a
    correct username/secret combination but in the meantime, the register
    attempts are practically a DoS attack. Plus that setting further breaks
    the SIP RFC.

    I also think that assuming that the attackers will eventually get in one
    way or another is wise. So put in place appropriate measures to limit
    the damage they can do (daily spend limits with SIP providers, blocking
    international and/or premium rate numbers etc…).

    cheers,
    Paul.