Koozali.org: home of the SME Server

SIP REGISTER Flood Attack

Offline apmuthu

  • *
  • 244
  • +0/-0
SIP REGISTER Flood Attack
« on: January 21, 2011, 06:15:03 PM »
SME 7.4 with SAIL 2.x with 20 extensions and only 5 of them active - all remote SIP clients.
Lastweek there was a spate of dictionary attacks and sniffing for phpmyadmin. This week there is a continuing spate of SIP Register messages that increased the ping latency from 50ms to 1300ms. Servers in Amazon EC2 cloud and Linode.com were used to mount the attacks. Informed Amazon EC2 of the Abuse and await their action.

Ref: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/
Ref: http://blog.sipvicious.org/
Ref: Don't drown in Registration Flood: http://www.inchalbase.com/waket02/img/pdf/datasheets/lab_ot_dditrfnote.pdf
Ref: Whitelist for SIP Reg: http://www.ieee-cqr.org/2010/Day%202/Technical%20Session%20-%202/%283%29EricChen.pdf
Ref: SNOM SIP Flood Tracing: http://wiki.snom.com/Settings/flood_tracing
Ref: http://wiki.contribs.org/SME_Server:Documentation:FAQ#Block_incoming_IP_address
Ref: http://www.dslreports.com/forum/r24116233-General-Amazon-EC2-SIP-Flood-Attack-Complaints-Remain-Unanswer

/var/log/asterisk/messages shows that SIP Scans created DoS from 4 IPs:
Code: [Select]
64.34.165.112 : sb103.successfulmatch.com / ns1.datingopinions.com - godaddy
109.74.193.250 : li140-250.members.linode.com - ns1.linode.com
184.106.64.217 : 184-106-64-217.static.cloud-ips.com - NS1.SLICEHOST.NET - tucowsdomains
184.106.95.80 : 184-106-95-80.static.cloud-ips.com - NS1.SLICEHOST.NET - tucowsdomains
188.72.203.179 - Bora Ismen, c/o Dynaceron LLC, Canada & Simon Roehl, netdirekt e. K., Frankfurt
88.208.193.245 - server88-208-193-245.live-servers.net - NS1.LIVE-SERVERS.NET - Mark Wood, Fasthosts Internet Limited, UK
122.224.135.163 - ZHEJIANG SHANGLIAN Enterprise Business Services Ltd.

The log file was over 700 MB in size.
Downloaded it after:
tar -zcvf messages-0.tar.gz /var/log/asterisk/messages
Used LTFViewer to view it. Get it at:
http://www.swiftgear.com/

Code: [Select]
service sark stop
nano /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

# contents of /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -I INPUT -s 184.106.0.0/16 -j REJECT
/sbin/iptables -I INPUT -s 109.74.0.0/16 -j REJECT
/sbin/iptables -I INPUT -s 64.34.165.112/32 -j REJECT
/sbin/iptables -I INPUT -s 194.44.43.0/24 -j REJECT
/sbin/iptables -I INPUT -s 195.38.0.0/16 -j REJECT
/sbin/iptables -I INPUT -s 59.66.0.0/16 -j REJECT
/sbin/iptables -I INPUT -s 91.121.0.0/19 -j REJECT
/sbin/iptables -I INPUT -s 122.224.135.160/29 -j REJECT
/sbin/iptables -I INPUT -s 188.72.203.0/24 -j REJECT
/sbin/iptables -I INPUT -s 88.208.193.0/24 -j REJECT


chmod 755 /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

service sark start

# Verification:
iptables -L > /var/log/asterisk/iptablesvalues.txt
iptables -L -vn > filter-iptables.txt
iptables -t nat -L -vn > nat.txt

While the above managed to stem the effect of the attack, the REJECT packets were still causing a DoS by bandwidth denial. DROP packets were not used as it would bloat the logs. The ping rate still remains the same though - very high indeed.
« Last Edit: January 23, 2011, 04:38:19 AM by apmuthu »

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: SIP REGISTER Flood Attack
« Reply #1 on: January 22, 2011, 06:17:11 AM »
It appears that Amazon EC2 has only an automated means of responding to Abuse (until it possibly affects them). Here is the reply received from them despite the log entries being correct as to the time:
Quote
     Date: Sat, 22 Jan 2011 00:39:48 +0000 (UTC)
     From: Amazon EC2 Abuse <ec2-abuse@amazon.com>
Reply-To: Amazon EC2 Abuse <ec2-abuse@amazon.com>
  Subject: Your Amazon EC2 Abuse Report [50125823999]
       To: "MYWEBMASTERSEMAIL" <MYWEBMASTERSEMAIL>

Dear Abuse Reporter,

Thank you for submitting your abuse report. We're unable to process your report because the date/time you provided was invalid. This information is critical for identifying the user involved in the abuse. Please re-submit the Amazon EC2 Abuse Report Form with updated information so we may proceed with processing your report:
http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse

You entered:
Reporter first name: MYFNAME
Reporter last name: MYLNAME
Organization: MYCOMPANYNAME
E-mail address: MYWEBMASTERSEMAIL
Phone: +65-96180119
Source IPs: 184.106.95.80,184.106.64.217
Destination IPs: MYSIPSERVERIP
Destination ports: 5060/UDP/TCP/SIP
Time zone: +0800
Start date: 2011/01/21
Start time: 03:50
The host's clock is synchronized by NTP: checked
Abuse type: intrusion-attempts
Logs: [Jan 20 03:50:39] NOTICE[4960] chan_sip.c: Registration from '"5003" <sip:5003@MYSIPSERVERIP>' failed for '184.106.95.80' - Wrong password

[Jan 20 05:39:29] NOTICE[4960] chan_sip.c: Registration from '"5011" <sip:5011@MYSIPSERVERIP>' failed for '184.106.64.217' - Wrong password

Comments: Attacks commenced from 17th Jan 2011 onwards and still continues - our IPTABLES are now set to REJECT packets from the '184.106.0.0/16 subnet for now. Several times a second from the following IPs:
64.34.165.112 : sb103.successfulmatch.com / ns1.datingopinions.com - godaddy
109.74.193.250 : li140-250.members.linode.com - ns1.linode.com
184.106.64.217 : 184-106-64-217.static.cloud-ips.com -  NS1.SLICEHOST.NET - tucowsdomains
184.106.95.80 : 184-106-95-80.static.cloud-ips.com - NS1.SLICEHOST.NET  - tucowsdomains

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: SIP REGISTER Flood Attack
« Reply #2 on: January 23, 2011, 02:54:35 AM »
Expect that the above would serve as a reference for the law enforcement agencies if they (intelligence agencies) themselves are not the perpetrators in this case for reasons best known to them.

Lesson learned: Block Amazon EC-2 IPs and linode.com IPs if you do not need them!

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: SIP REGISTER Flood Attack
« Reply #3 on: January 23, 2011, 04:15:11 AM »
Used a simple block ip script - /root/blockip.sh as below:
Code: [Select]
#!/bin/sh
TOINSERTFWLINE="/sbin/iptables -I INPUT -s ${1} -j REJECT"
echo ${TOINSERTFWLINE} >> /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Prepare the 40DenyRiffRaff and blockip.sh files for the first time as below:
Code: [Select]
chmod 700 /root/blockip.sh
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
chmod 755 /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Usage (example IP to block - 20.30.40.0/24):
Code: [Select]
cd /root
./blockip.sh 20.30.40.0/24
« Last Edit: January 23, 2011, 04:18:03 AM by apmuthu »

Offline apmuthu

  • *
  • 244
  • +0/-0
Re: SIP REGISTER Flood Attack
« Reply #4 on: January 23, 2011, 08:41:46 AM »
A nice Auto Block IP script is available here.
Quote
To help identify the traffic blocked as asterisk related, a new chain will be created appropriately called… asterisk.

Here’s how to add the new chain:
Code: [Select]
iptables -N asterisk
iptables -A INPUT -j asterisk
iptables -A FORWARD -j asterisk
This will help identify hosts blocked for failed registrations.


After the file /var/log/asterisk/messages has been read, the IP addresses are counted (each count is a failed attempt), compared against the existing blocked hosts, and new occurrences are blocked. With this script we are blocking any host after the 4th failed attempt.
Code: [Select]
#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked; my $action;   
open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n";   
while (<MYINPUTFILE>) {
     my ($line) = $_;
chomp($line);
if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
push(@failhost,$1);
     }     
if ($line =~ m/\' failed for \'(.*?)\' – Wrong password/) {
push(@failhost,$1);     
}
}   
my $blockedhosts = `/sbin/iptables -n -L asterisk`;   
while ($blockedhosts =~ /(.*)/g) {
my ($line2) = $1;
    chomp($line2);
    if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
$currblocked{ $1 } = 'blocked';
    }
}   
while (my ($key, $value) = each(%currblocked)) {
     print $key . "\n";
}
if (@failhost) {
&count_unique(@failhost);
while (my ($ip, $count) = each(%addblocked)) {
if (exists $currblocked{ $ip }) {
print "$ip already blocked\n";
} else {
$action = `/sbin/iptables -I asterisk -s $ip -j DROP`;
print "$ip blocked. $count attempts.\n";
}     
}
} else {
print "no failed registrations.\n";
}
sub count_unique {
     my @array = @_;
     my %count;
     map { $count{$_}++ } @array;
     map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Schedule it with cron: The final step is to schedule your script to run every X minutes in cron. We’ve chosen to run our script every 2 minutes, but you can change this to 1 minute or any other time period you choose. Just remember… you can receive thousands of attempts within 2 minutes.

If you have named your script check-failed-regs.pl and placed it in your /usr/local/bin directory, your cron statement would look like this:

Code: [Select]
*/2 * * * * perl /usr/local/bin/check-failed-regs.pl &> /dev/null

Offline Teviot

  • *
  • 610
  • +0/-0
Re: SIP REGISTER Flood Attack
« Reply #5 on: February 10, 2011, 03:33:17 AM »
Has anyone tried this and what was the result?

Unless I am missing something the above never executed.

apmuthu

Could you include step-by-step instruction on what and how do this please?
« Last Edit: February 10, 2011, 05:49:08 AM by M0GLJ »
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.

Offline SARK devs

  • ****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: SIP REGISTER Flood Attack
« Reply #6 on: February 10, 2011, 01:23:01 PM »
Thanks for this post AP

We use OSSEC to do this on the .iso and on customer boxes.  However, I think we will use this (or something similar) for the WARP, which needs something lighter than full-blown OSSEC.

I'll let you know how we get on with it.

S

Offline Teviot

  • *
  • 610
  • +0/-0
Re: SIP REGISTER Flood Attack
« Reply #7 on: February 12, 2011, 04:58:30 AM »
apmuthu

Could you include step-by-step instruction on what and how do this please?

Bump

Or anyone for that matter. I don't know much about cron job.
Regards
M0GLJ
......................................................
I am new to SAIL SME Server v8b6 and have been using SME for many years.
I have already done some research and only ask questions if I still can't work it out.