Solved

Sip brute force attacks

Posted on 2011-02-15
3
1,239 Views
Last Modified: 2013-11-12
I have servers getting slammed with sip brute force attacks on a daily basis now from just a few times a week a few months ago. This isn't much of a problem except that lately we've been getting slammed faster and faster. We have fail2ban running and set to 20 attempts before banning. The attacks happen so fast that about 10,000-14,000 attempts go through before it gets banned. This hasn't run us into any issues with server load or bandwidth but this is a just a general question as to if this is a norm in the industry? We have a Tier 1 backbone now and I was thinking that's just what caused the rise in hack attempts.

Does anyone who works for a communications company have similar hack attempts and if so are there any recommendations you could share?

Thanks in advance!
0
Comment
Question by:bbrunning
3 Comments
 
LVL 19

Accepted Solution

by:
feptias earned 250 total points
ID: 34905147
When Asterisk is directly accessible on the Internet using port 5060, it seems to be the target for this type of problem. However, my experience with systems using OpenSIPS as the interface to the Internet is that they don't get hit by the brute force password guessing attacks. All I see in the OpenSIPS logs is occassional "friendly-scanner" and "sundayddr" probes using an OPTIONS request - there are just a few of these each day.

You may be interested to read my recent blog on this subject:
http://kb.smartvox.co.uk/index.php/asterisk/friendlyscanner-gets-aggressive/
0
 
LVL 7

Assisted Solution

by:nauliv
nauliv earned 250 total points
ID: 34908910
bbrunning: do you have a way to narrow the source of your SIP connections from the internet ?
If most of your users are in known countries, you can set your firewall to limit SIP connections from this(es) country(es).
You can find on several websites the IP ranges for each country in the world, and block by that, it usually very efficient especially if the attacks come from countries outside of your users area ! (example: http://www.ipdeny.com/ipblocks/)

Good Luck !
0
 
LVL 10

Author Comment

by:bbrunning
ID: 34920519
feptias:
I'm looking into switching port 5060 if absolutely necessary. I have to make sure the carriers don't have any issues with this first, but it's a last resort.
We're looking into putting another device in front of our cisco to catch these attacks first.
nauliv:
The source IPs happen from all over the world. i could do a region block if it seems to be getting more out of hand from a particular region. I've done the research on region blocks and have gathered the ip sets from all over the world.

Thanks for the thoughts. Looks like I was on the right track.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question