jlumby Posted August 25, 2009 Report Share Posted August 25, 2009 I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable Quote Link to comment Share on other sites More sharing options...
pbx support Posted August 26, 2009 Report Share Posted August 26, 2009 I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable We have some protection (using access lists) against the attacks. We would like to see these malformed messages if you have any. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted August 26, 2009 Report Share Posted August 26, 2009 I was wondering what features are coming down the line to protect from SIP based DoS attacks against PBXnSIP. I am concerned because on 2 different occasions I have had a PBX go down (99% cpu utilization on pbxctrl.exe) because of malformed registration packets. The packets were caused from a router that did not properly work with SIP. I am worried because this was unintentional, so I could imagine the impact malformed registration packets could have if someone was intentionally trying to make the server unusable What we have seen are packet storms that register over and over. This can be just a buggy device that just thinks that it should answer a password change with the wrong password over and over or a device that has a problem with the duration of the registration. We also have seen devices that try passwords out (so better don't choose "123" as password!). In any case, in version 4 we now automatically add the source address to the blocked list for one hour (parameters adjustable). That solves this problem. Quote Link to comment Share on other sites More sharing options...
jlumby Posted September 1, 2009 Author Report Share Posted September 1, 2009 One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32) DoS.zip Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted September 2, 2009 Report Share Posted September 2, 2009 One of our customers softswitches got hit by a DoS attack this morning. I am attaching the packetcapture from before I blocked it at the firewall. It ran the processor up to 99% and the memory up to 1 gig. After blocking the IP, it took stopping/starting the service to reclaim the memory. Just want to make sure that the newer versions will automatically protect against attacks like this. The customer was running 3.3.2.3183 (Win32) Yea, in version 4 this fiendly scanner will do this 10 times then the PBX will block the traffic. Of course, one problem remains. The packets take a lot of bandwidth and if your link is "slow" then other valid requests might be dropped. Maybe you should contact roxfarma.com.pe for a statement as the IP address resolves like this: Hostname:www.roxfarma.com.pe ISP:Telmex Peru S.A. Organization:Telmex Peru S.A. Quote Link to comment Share on other sites More sharing options...
pbxuser911 Posted September 11, 2009 Report Share Posted September 11, 2009 our 4.0 server also got attacked by the SAME IP after 5 attempts the PBX DID in fact block out that IP Quote Link to comment Share on other sites More sharing options...
hosted Posted November 10, 2009 Report Share Posted November 10, 2009 I though this was a part of 3.4..? We are having asterisk scanners hit us all the time looking for blank SIP passwords. Quote Link to comment Share on other sites More sharing options...
jlumby Posted January 11, 2010 Author Report Share Posted January 11, 2010 I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above Quote Link to comment Share on other sites More sharing options...
BillKang Posted November 23, 2010 Report Share Posted November 23, 2010 I just got hit by the friendly scanner again, this time the source IP was 92.61.60.3 Unfortunately since Version 4 with DoS protection is still under development, it took the server down, until I could block it at the firewall. THe packet capture looks identical to the one I posted above Did you got hit by the friendly-scanner again ? If yes, I would like to give a solution. I had lots of experience related to the same topics. Quote Link to comment Share on other sites More sharing options...
YSJ3010 Posted January 6, 2011 Report Share Posted January 6, 2011 Did you got hit by the friendly-scanner again ? If yes, I would like to give a solution. I had lots of experience related to the same topics. can you please post your experience? Quote Link to comment Share on other sites More sharing options...
mattlandis Posted January 6, 2011 Report Share Posted January 6, 2011 Here is my comment on sip security. (as usual long winded--but i think interesting to people here ;-) http://windowspbx.blogspot.com/2010/10/someone-is-attempting-to-hack-into-your.html Quote Link to comment Share on other sites More sharing options...
chrispopp Posted April 14, 2011 Report Share Posted April 14, 2011 Did you got hit by the friendly-scanner again ? If yes, I would like to give a solution. I had lots of experience related to the same topics. I'm also very interested in this matter. We were also hit. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted April 15, 2011 Report Share Posted April 15, 2011 If you dont want to really open the service to the public, consider using a different port than port 5060 and telling your users about it. It just makes attacks 64000 times more difficult. And if you PnP your devices, they get the port number automatically. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.