How can I stop SipVicious ('friendly-scanner') from flooding my SIP server?

Posted by a1kmm on Server Fault See other posts from Server Fault or by a1kmm
Published on 2013-10-28T12:41:12Z Indexed on 2013/10/28 15:57 UTC
Read the original article Hit count: 239

Filed under:
|

I run an SIP server which listens on UDP port 5060, and needs to accept authenticated requests from the public Internet.

The problem is that occasionally it gets picked up by people scanning for SIP servers to exploit, who then sit there all day trying to brute force the server. I use credentials that are long enough that this attack will never feasibly work, but it is annoying because it uses up a lot of bandwidth.

I have tried setting up fail2ban to read the Asterisk log and ban IPs that do this with iptables, which stops Asterisk from seeing the incoming SIP REGISTER attempts after 10 failed attempts (which happens in well under a second at the rate of attacks I'm seeing). However, SipVicious derived scripts do not immediately stop sending after getting an ICMP Destination Host Unreachable - they keep hammering the connection with packets. The time until they stop is configurable, but unfortunately it seems that the attackers doing these types of brute force attacks generally set the timeout to be very high (attacks continue at a high rate for hours after fail2ban has stopped them from getting any SIP response back once they have seen initial confirmation of an SIP server).

Is there a way to make it stop sending packets at my connection?

© Server Fault or respective owner

Related posts about security

Related posts about sip