Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1320
  • Last Modified:

Sip brute force attacks

I have servers getting slammed with sip brute force attacks on a daily basis now from just a few times a week a few months ago. This isn't much of a problem except that lately we've been getting slammed faster and faster. We have fail2ban running and set to 20 attempts before banning. The attacks happen so fast that about 10,000-14,000 attempts go through before it gets banned. This hasn't run us into any issues with server load or bandwidth but this is a just a general question as to if this is a norm in the industry? We have a Tier 1 backbone now and I was thinking that's just what caused the rise in hack attempts.

Does anyone who works for a communications company have similar hack attempts and if so are there any recommendations you could share?

Thanks in advance!
0
bbrunning
Asked:
bbrunning
2 Solutions
 
feptiasCommented:
When Asterisk is directly accessible on the Internet using port 5060, it seems to be the target for this type of problem. However, my experience with systems using OpenSIPS as the interface to the Internet is that they don't get hit by the brute force password guessing attacks. All I see in the OpenSIPS logs is occassional "friendly-scanner" and "sundayddr" probes using an OPTIONS request - there are just a few of these each day.

You may be interested to read my recent blog on this subject:
http://kb.smartvox.co.uk/index.php/asterisk/friendlyscanner-gets-aggressive/
0
 
naulivCommented:
bbrunning: do you have a way to narrow the source of your SIP connections from the internet ?
If most of your users are in known countries, you can set your firewall to limit SIP connections from this(es) country(es).
You can find on several websites the IP ranges for each country in the world, and block by that, it usually very efficient especially if the attacks come from countries outside of your users area ! (example: http://www.ipdeny.com/ipblocks/)

Good Luck !
0
 
bbrunningAuthor Commented:
feptias:
I'm looking into switching port 5060 if absolutely necessary. I have to make sure the carriers don't have any issues with this first, but it's a last resort.
We're looking into putting another device in front of our cisco to catch these attacks first.
nauliv:
The source IPs happen from all over the world. i could do a region block if it seems to be getting more out of hand from a particular region. I've done the research on region blocks and have gathered the ip sets from all over the world.

Thanks for the thoughts. Looks like I was on the right track.
0

Featured Post

Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now