Jump to content

SIP DoS Protection


jlumby
 Share

Recommended Posts

I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable

Link to comment
Share on other sites

I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable

 

We have some protection (using access lists) against the attacks. We would like to see these malformed messages if you have any.

Link to comment
Share on other sites

I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable

 

What we have seen are packet storms that register over and over. This can be just a buggy device that just thinks that it should answer a password change with the wrong password over and over or a device that has a problem with the duration of the registration. We also have seen devices that try passwords out (so better don't choose "123" as password!).

 

In any case, in version 4 we now automatically add the source address to the blocked list for one hour (parameters adjustable). That solves this problem.

Link to comment
Share on other sites

One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32)

DoS.zip

Link to comment
Share on other sites

One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32)

 

Yea, in version 4 this fiendly scanner will do this 10 times then the PBX will block the traffic.

 

Of course, one problem remains. The packets take a lot of bandwidth and if your link is "slow" then other valid requests might be dropped.

 

Maybe you should contact roxfarma.com.pe for a statement as the IP address resolves like this:

 

    Hostname:www.roxfarma.com.pe

    ISP:Telmex Peru S.A.

    Organization:Telmex Peru S.A.

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • 2 months later...

I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above

Link to comment
Share on other sites

  • 10 months later...

I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above

 

Did you got hit by the friendly-scanner again ?

If yes, I would like to give a solution.

I had lots of experience related to the same topics.

Link to comment
Share on other sites

  • 1 month later...
  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...