Solved

Sip brute force attacks

Posted on 2011-02-15
3
1,218 Views
Last Modified: 2013-11-12
I have servers getting slammed with sip brute force attacks on a daily basis now from just a few times a week a few months ago. This isn't much of a problem except that lately we've been getting slammed faster and faster. We have fail2ban running and set to 20 attempts before banning. The attacks happen so fast that about 10,000-14,000 attempts go through before it gets banned. This hasn't run us into any issues with server load or bandwidth but this is a just a general question as to if this is a norm in the industry? We have a Tier 1 backbone now and I was thinking that's just what caused the rise in hack attempts.

Does anyone who works for a communications company have similar hack attempts and if so are there any recommendations you could share?

Thanks in advance!
0
Comment
Question by:bbrunning
3 Comments
 
LVL 19

Accepted Solution

by:
feptias earned 250 total points
ID: 34905147
When Asterisk is directly accessible on the Internet using port 5060, it seems to be the target for this type of problem. However, my experience with systems using OpenSIPS as the interface to the Internet is that they don't get hit by the brute force password guessing attacks. All I see in the OpenSIPS logs is occassional "friendly-scanner" and "sundayddr" probes using an OPTIONS request - there are just a few of these each day.

You may be interested to read my recent blog on this subject:
http://kb.smartvox.co.uk/index.php/asterisk/friendlyscanner-gets-aggressive/
0
 
LVL 7

Assisted Solution

by:nauliv
nauliv earned 250 total points
ID: 34908910
bbrunning: do you have a way to narrow the source of your SIP connections from the internet ?
If most of your users are in known countries, you can set your firewall to limit SIP connections from this(es) country(es).
You can find on several websites the IP ranges for each country in the world, and block by that, it usually very efficient especially if the attacks come from countries outside of your users area ! (example: http://www.ipdeny.com/ipblocks/)

Good Luck !
0
 
LVL 10

Author Comment

by:bbrunning
ID: 34920519
feptias:
I'm looking into switching port 5060 if absolutely necessary. I have to make sure the carriers don't have any issues with this first, but it's a last resort.
We're looking into putting another device in front of our cisco to catch these attacks first.
nauliv:
The source IPs happen from all over the world. i could do a region block if it seems to be getting more out of hand from a particular region. I've done the research on region blocks and have gathered the ip sets from all over the world.

Thanks for the thoughts. Looks like I was on the right track.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now