On Tue, Apr 05, 2016 at 12:09:29AM +0100, Marrold wrote: > I have been running a couple of Asterisk honey pots to get a better > understanding of the tools and methods potential hackers are using to > exploit SIP servers. > > I have observed many attacks from the 'sipcli' user agent that don't send > ACKs. [...] > Please could anyone point me in the right direction to detect these non > completed calls with a missing ACK in Kamailio? I am unsure on the > terminology I should be using to search the online documentation.
Why do you care? The attacker doesn't care about receiving SIP messages, they are only interested in initiating a call to a target, if the target gets dialled you will be abused, by either an other source with a fully function SIP stack or just something that might be spoofed. What I do is blacklist addresses that send any SIP messages to my honeypots, might be dangerous since with UDP anything can be spoofed (so better make sure you have a whitelist and there is no connection between the honeypots and your client facing SIP platform) _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
