being bombarded with SIP packets

Home » Asterisk Users » being bombarded with SIP packets
Asterisk Users 11 Comments

Over the last two weeks, we have had at least two “incidents” where our
asterisk server got flooded (a hundred or more per second) by SIP
packets. Once from 114.31.50.10, second time from 173.212.200.146. We
became aware of the problem when bandwidth started suffering because
asterisk got very busy sending back replies or rejects (dunno which, I
didn’t investigate it any further).
The immediate issues were dealt with by having the firewall drop those
packets, but I was wondering:

1) if anyone has seen the same problem, and
2) if you’ve got some iptables rules for limiting inbound SIP by rate?
(or some such).

thanks
Per Jessen, Z├╝rich

11 thoughts on - being bombarded with SIP packets

  • Was it legitimate requests or a brute force attack? If it was a brute
    force attack have you considered using fail2ban?

    Ish

  • Am 28.10.2010 09:41, schrieb Per Jessen:
    Hello Per,

    (iptables) rule #1: search the archives !!!!
    You will find nearly as many postings about that problem, as your server
    SIP packets received … ­čśë

    Norbert

  • Norbert Zawodsky wrote:

    Thanks Norbert – I should take my own medicine, I’m usually the first to
    suggest searching the archives.

    /Per Jessen, Z├╝rich

  • Ishfaq Malik wrote:

    It appears to be brute force, but I haven’t bothered to investigate any
    further. fail2ban is at best a kludge IMHO, and I don’t like anything
    (automatically or otherwise) modifying my firewall. Like Nortbert
    suggested, I’ll check the archives to see what others have done.

    /Per Jessen, Z├╝rich

  • Am 28.10.2010 12:14, schrieb Per Jessen:
    Per,

    (didn’t want to be unfriendly to you !!!!!)

    As you say, “you don’t like anything to modify your firewal”. My words !

    Someone (don’t remember who & when) on this list showed me a very clever
    trick (=iptables rule) to drop the packets if too many of them arrive
    within a given period of time. Works really great !!!!!

    Do not exatly remember how it was done (and I don’t have access to that
    machine at the moment to have a look).
    I remeber something like
    first using iptables module “string” to inspect the packet if it
    contains the string “REGISTER sip:”
    and then use an iptables “hash bucket” with a limit of x/second

    If this limit is exeeded, send the packet to nirvana (= DROP, or if you
    like LOG & DROP, or if you like LOG the 1st & DROP all …..)

    Norbert

  • This is not new – just Read The Fine Archives. Been going on for years.
    You’re not the first, not the last.

    Google for sipvicious.

    Possibly me – I did post something – you might want to look at

    http://unicorn.drogon.net/firewall2

    An issue I’ve found with this is that is that while it works to protect
    your asterisk box, it does take up a considerable amount of CPU/kernel
    time to process – so running on embedded hardware isn’t a good idea.

    There are other things you need to do to – but do get the sipvicious
    source code – it has a crash program in it – however I’m finding that this
    works less and less now because the criminals who’re trying to steal your
    VoIP minutes have upgraded – however the upgrade is a little nicer when
    you firewall it out.

    And do make sure you have

    alwaysauthreject=yes

    in the [general] section of sip.conf. Most of the time that will protect
    you as the criminals will do a single pass to try to identify accounts
    that are valid, then find none, then move on.

    Sometimes they don’t though and use the ‘force’ option in sipvicious. Then
    youy’re SOL….

    Gordon

  • Norbert Zawodsky wrote:

    Not at all.

    Yeah, I have a rule like that for SSH brute force attempts, and I
    did also find one for the same thing for SIP.

    This is what I found:

    iptables -N sip-flood
    iptables -A INPUT -p udp -m udp –dport 5060 -j sip-flood
    iptables -A INPUT -p tcp -m tcp –dport 5060:5061 –syn -j sip-flood
    iptables -A sip-flood -m recent –update –seconds 60 –hitcount 20 -j LOG –log-prefix “SIP bruteforce attempt: “
    iptables -A sip-flood -m recent –rcheck –seconds 60 –hitcount 20 -j DROP
    iptables -A sip-flood -m recent –set -j ACCEPT

    /Per Jessen, Z├╝rich

  • Gordon Henderson wrote:

    Well, to me it only started 3 days ago. Point taken though, I should
    have googled first.

    My main issue was not the brute force attempt in itself, but the
    increased latency it caused.

    /Per Jessen, Z├╝rich

  • Two incidents in two weeks is not bad. I get 2-4 a day. There must be many
    here with even more than that. You should start considering some safety
    practices like disabling long distance and international calls by default,
    put a cap on long distance and international calls even for genuine users,
    and who don’t want to have caps, get their consent that they’ll not argue
    with you if their accounts are hacked. Probably do prepaid billing at least
    for long distance and international calls.

    Other than that, fail2ban is a must have. Detailed installation instructions
    you can find at voip-info.org website and also in my blogs at
    ilovetovoip.com.

    Regards,

    Zeeshan A Zakaria

  • exactly what i was going through; here’s how i reacted (throttles both
    SSH and SIP Register:

    First, I completely blocked all non-North American & Amazon EC2 networks
    any time soon. Then in my iptables startup script:

    iptables -N THROTTLE
    iptables -A INPUT -i eth0 -p udp –dport 5060
    iptables -A INPUT -i eth0 -p tcp –dport 22
    -m state –state NEW -j THROTTLE
    iptables -A THROTTLE -m recent –set –name ABUSE
    iptables -A THROTTLE -m recent –update –seconds 86400