I am interested in 'fingerprinting' various SIP scanner attacks and using them to intelligently block attacks, rather than just blindly black listing any SIP message to a honey pot.
Additionally I think it would be wise to detect these missing ACKs and/or incomplete transactions from a legitimately mis-configured or malfunctioning end point, to help protect the core network from needless re-transmissions. Having checked the Asterisk logs, this is what I'm looking to block if a certain threshold is exceeded- [2016-04-05 13:10:52] WARNING[2010] chan_sip.c: Retransmission timeout reached on transmission eff430b8c1b6d21c2058049f41a7ec57 for seqno 1 (Critical Response) Thanks On Tue, Apr 5, 2016 at 1:14 PM, Daniel Tryba <d.tr...@pocos.nl> wrote: > On Tue, Apr 05, 2016 at 12:09:29AM +0100, Marrold wrote: > > I have been running a couple of Asterisk honey pots to get a better > > understanding of the tools and methods potential hackers are using to > > exploit SIP servers. > > > > I have observed many attacks from the 'sipcli' user agent that don't send > > ACKs. > [...] > > Please could anyone point me in the right direction to detect these non > > completed calls with a missing ACK in Kamailio? I am unsure on the > > terminology I should be using to search the online documentation. > > Why do you care? The attacker doesn't care about receiving SIP messages, > they are only interested in initiating a call to a target, if the target > gets dialled you will be abused, by either an other source with a fully > function SIP stack or just something that might be spoofed. > > What I do is blacklist addresses that send any SIP messages to my > honeypots, might be dangerous since with UDP anything can be spoofed (so > better make sure you have a whitelist and there is no connection between > the honeypots and your client facing SIP platform) > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
