Solved

Sip brute force attacks

Posted on 2011-02-15
3
1,202 Views
Last Modified: 2013-11-12
I have servers getting slammed with sip brute force attacks on a daily basis now from just a few times a week a few months ago. This isn't much of a problem except that lately we've been getting slammed faster and faster. We have fail2ban running and set to 20 attempts before banning. The attacks happen so fast that about 10,000-14,000 attempts go through before it gets banned. This hasn't run us into any issues with server load or bandwidth but this is a just a general question as to if this is a norm in the industry? We have a Tier 1 backbone now and I was thinking that's just what caused the rise in hack attempts.

Does anyone who works for a communications company have similar hack attempts and if so are there any recommendations you could share?

Thanks in advance!
0
Comment
Question by:bbrunning
3 Comments
 
LVL 19

Accepted Solution

by:
feptias earned 250 total points
ID: 34905147
When Asterisk is directly accessible on the Internet using port 5060, it seems to be the target for this type of problem. However, my experience with systems using OpenSIPS as the interface to the Internet is that they don't get hit by the brute force password guessing attacks. All I see in the OpenSIPS logs is occassional "friendly-scanner" and "sundayddr" probes using an OPTIONS request - there are just a few of these each day.

You may be interested to read my recent blog on this subject:
http://kb.smartvox.co.uk/index.php/asterisk/friendlyscanner-gets-aggressive/
0
 
LVL 7

Assisted Solution

by:nauliv
nauliv earned 250 total points
ID: 34908910
bbrunning: do you have a way to narrow the source of your SIP connections from the internet ?
If most of your users are in known countries, you can set your firewall to limit SIP connections from this(es) country(es).
You can find on several websites the IP ranges for each country in the world, and block by that, it usually very efficient especially if the attacks come from countries outside of your users area ! (example: http://www.ipdeny.com/ipblocks/)

Good Luck !
0
 
LVL 10

Author Comment

by:bbrunning
ID: 34920519
feptias:
I'm looking into switching port 5060 if absolutely necessary. I have to make sure the carriers don't have any issues with this first, but it's a last resort.
We're looking into putting another device in front of our cisco to catch these attacks first.
nauliv:
The source IPs happen from all over the world. i could do a region block if it seems to be getting more out of hand from a particular region. I've done the research on region blocks and have gathered the ip sets from all over the world.

Thanks for the thoughts. Looks like I was on the right track.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now