header image
Home arrow Blog arrow Blog arrow Brute force SIP attacks
Brute force SIP attacks PDF Print E-mail

Over recent month many users are finding they are suffereing from brute force attacks from servers in Romania and more worryingly from "servers" in the Amazon cloud.

http://www.stuartsheldon.org/blog/2010/ ... ec2-hosts/ and many other posts have more details and Amazons poor response to this attack.

 

These attacks are also causing poor sound quality and many other QOS issues.

 

What can you do to protect yourself....


Make sure you have ACLs setup if you can and most importantly use STRONG passwords. , dont use 1234 use nergt32uy5ue9n also keep an eye on your logs and keep the firewall or IP tables upto date.

Also make sure your sip.conf file is set correctly, Make sure your have

alwaysauthreject=yes

and also make sure that the default context in the sip.conf is very restricted, no disa entries and no options to dialout.

You can also manually set your iptables firewall to block known hosts that are attacking, but this can be very labour intensive so setting a script or fail2ban to do it for you is a much better alternative.

On our customer servers we have a script running that keeps iptables updated blocking rogue servers after a couple of attempts.

It also is imporant to keep your call baring uptodate. We resell Gradwell services this means you can block numbers at their servers as well as your own.

World country codes are divided by continents: as follows

North America:
001xx (USA, Canada) plus some Caribbean countries

Africa:
002xx

Europe:
003xx (i.e. Ireland)
004xx (i.e. Poland)

Central and South America:
005xx (Mexico, Brazil, Chile ) plus some Caribbean countries

Australia and Oceania:
006xx (i.e. New Zealand) and some ASEAN (i.e. Brunei)

Asia:
007xx (Russia and post soviet countries),
008xx (China, Japan, Far East),
009xx (Middle East, India)

 

This is useful as it lets you finegrain you call baring by continent, Unless you have to call Africa then Block access to 002 numbers etc.

You will find more and more carriers are blocking ranges as well so that fraud is limted there as well

 

Also a final not is to check that your carrier can put a daily spend limit on. If for example you only spend on average £20 per day put a £30 per day limit on, That will at least if all fails limit your loss to only £30.

Also be VERY carefull using mobile sip clients. Wifi sniffing is very common in places like airports and most public wifi hotspots are unencryted so they can  see the traffic. And we have seen examples of access to a system when this was done.

 

Sip attacks are on the increase, Read or article on Sip security and look at the ITSPA document as well to make sure you are secure

images/stories/gaplogoweb.jpg

Skype Me™!
EFM Broadband
Number Porting
Asterisk
Technical Notes
User Guides
Case studies
System Monitoring
Suppliers
Blog