Solved

Sip brute force attacks

Posted on 2011-02-15
3
1,246 Views
Last Modified: 2013-11-12
I have servers getting slammed with sip brute force attacks on a daily basis now from just a few times a week a few months ago. This isn't much of a problem except that lately we've been getting slammed faster and faster. We have fail2ban running and set to 20 attempts before banning. The attacks happen so fast that about 10,000-14,000 attempts go through before it gets banned. This hasn't run us into any issues with server load or bandwidth but this is a just a general question as to if this is a norm in the industry? We have a Tier 1 backbone now and I was thinking that's just what caused the rise in hack attempts.

Does anyone who works for a communications company have similar hack attempts and if so are there any recommendations you could share?

Thanks in advance!
0
Comment
Question by:bbrunning
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 19

Accepted Solution

by:
feptias earned 250 total points
ID: 34905147
When Asterisk is directly accessible on the Internet using port 5060, it seems to be the target for this type of problem. However, my experience with systems using OpenSIPS as the interface to the Internet is that they don't get hit by the brute force password guessing attacks. All I see in the OpenSIPS logs is occassional "friendly-scanner" and "sundayddr" probes using an OPTIONS request - there are just a few of these each day.

You may be interested to read my recent blog on this subject:
http://kb.smartvox.co.uk/index.php/asterisk/friendlyscanner-gets-aggressive/
0
 
LVL 7

Assisted Solution

by:nauliv
nauliv earned 250 total points
ID: 34908910
bbrunning: do you have a way to narrow the source of your SIP connections from the internet ?
If most of your users are in known countries, you can set your firewall to limit SIP connections from this(es) country(es).
You can find on several websites the IP ranges for each country in the world, and block by that, it usually very efficient especially if the attacks come from countries outside of your users area ! (example: http://www.ipdeny.com/ipblocks/)

Good Luck !
0
 
LVL 10

Author Comment

by:bbrunning
ID: 34920519
feptias:
I'm looking into switching port 5060 if absolutely necessary. I have to make sure the carriers don't have any issues with this first, but it's a last resort.
We're looking into putting another device in front of our cisco to catch these attacks first.
nauliv:
The source IPs happen from all over the world. i could do a region block if it seems to be getting more out of hand from a particular region. I've done the research on region blocks and have gathered the ip sets from all over the world.

Thanks for the thoughts. Looks like I was on the right track.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Window update errors on VMs 9 49
Single Number Reach 3 58
Quick start reading for Windows sysinternals 5 52
Office 365 email security and hygiene features ? 6 28
OnPage: Incident management and secure messaging on your smartphone
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question