How can I stop SipVicious ('friendly-scanner') from flooding my SIP server?
Posted
by
a1kmm
on Server Fault
See other posts from Server Fault
or by a1kmm
Published on 2013-10-28T12:41:12Z
Indexed on
2013/10/28
15:57 UTC
Read the original article
Hit count: 239
I run an SIP server which listens on UDP port 5060, and needs to accept authenticated requests from the public Internet.
The problem is that occasionally it gets picked up by people scanning for SIP servers to exploit, who then sit there all day trying to brute force the server. I use credentials that are long enough that this attack will never feasibly work, but it is annoying because it uses up a lot of bandwidth.
I have tried setting up fail2ban to read the Asterisk log and ban IPs that do this with iptables, which stops Asterisk from seeing the incoming SIP REGISTER attempts after 10 failed attempts (which happens in well under a second at the rate of attacks I'm seeing). However, SipVicious derived scripts do not immediately stop sending after getting an ICMP Destination Host Unreachable - they keep hammering the connection with packets. The time until they stop is configurable, but unfortunately it seems that the attackers doing these types of brute force attacks generally set the timeout to be very high (attacks continue at a high rate for hours after fail2ban has stopped them from getting any SIP response back once they have seen initial confirmation of an SIP server).
Is there a way to make it stop sending packets at my connection?
© Server Fault or respective owner