SIP DoS Protection

[jlumby]

I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable

[pbx support]

I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable

 

We have some protection (using access lists) against the attacks. We would like to see these malformed messages if you have any.

[Vodia PBX]

I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable

 

What we have seen are packet storms that register over and over. This can be just a buggy device that just thinks that it should answer a password change with the wrong password over and over or a device that has a problem with the duration of the registration. We also have seen devices that try passwords out (so better don't choose "123" as password!).

 

In any case, in version 4 we now automatically add the source address to the blocked list for one hour (parameters adjustable). That solves this problem.

[jlumby]

One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32)

DoS.zip

[Vodia PBX]

One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32)

 

Yea, in version 4 this fiendly scanner will do this 10 times then the PBX will block the traffic.

 

Of course, one problem remains. The packets take a lot of bandwidth and if your link is "slow" then other valid requests might be dropped.

 

Maybe you should contact roxfarma.com.pe for a statement as the IP address resolves like this:

 

Hostname:www.roxfarma.com.pe

ISP:Telmex Peru S.A.

Organization:Telmex Peru S.A.

[pbxuser911]

our 4.0 server also got attacked by the SAME IP

after 5 attempts the PBX DID in fact block out that IP

[hosted]

I though this was a part of 3.4..?

 

We are having asterisk scanners hit us all the time looking for blank SIP passwords.

[jlumby]

I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above

[BillKang]

I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above

 

Did you got hit by the friendly-scanner again ?

If yes, I would like to give a solution.

I had lots of experience related to the same topics.

[YSJ3010]

Did you got hit by the friendly-scanner again ?

If yes, I would like to give a solution.

I had lots of experience related to the same topics.

 

 

can you please post your experience?

[mattlandis]

Here is my comment on sip security.

(as usual long winded--but i think interesting to people here ;-)

 

http://windowspbx.blogspot.com/2010/10/someone-is-attempting-to-hack-into-your.html

[chrispopp]

Did you got hit by the friendly-scanner again ?

If yes, I would like to give a solution.

I had lots of experience related to the same topics.

 

I'm also very interested in this matter. We were also hit.

[Vodia PBX]

If you dont want to really open the service to the public, consider using a different port than port 5060 and telling your users about it. It just makes attacks 64000 times more difficult. And if you PnP your devices, they get the port number automatically.