[ale] SIP attack

[Chris Fowler]

Our PBX was attacked and hacked.  Lost about $72 in SIP charges.  I've
implemented fail2ban and have changed our passwords.  Looking at other
things to do as well.

I know fail2ban works because there was an attempt today and fail2ban
did exactly what it should.

Chris

On Thu, 2010-10-14 at 15:47 -0400, Paul Cartwright wrote:
> justg read this on a fedora list, if anyone runs a VOIP server:
> 
> This is off topic, but I thought I should tell people.
> 
> This past weekend, I suffered a DOS attack launched against VOIP SIP
> Clients.  The attack came, at different times, from 3 separate IP addresses.
> 
> I blocked the IP addresses using IP Tables when I discovered it.
> 
> The attack was a bombardment of several hundred SIP REGISTER requests,
> per second, with a user agent of friendly-scanner.
> The attack was a sustained attack over three days.
> 
> I contacted my ISP.  They told me they have taken steps.
> 
> I contacted 2 of the 3 owners of the offending IP addresses.
> The third owner of the IP address was a job site address in China,
> and I couldn't figure out how to contact them.
> 
> In my case, I run the VOIP SIP program, twinkle.
> 
> Twinkle started consuming vast amounts of memory, going from a normal 5
> MiB usage to 500-600 MiB usage, before I realized what was happening.
> 
> Twinkle attempted to respond to each incoming packet with an outgoing
> SIP error packet.
> 
> I posted a message on the yahoo group used by twinkle asking what they
> could do to better handle such an attack.
> 
> If you suddenly seem to have memory problems, I suggest running
> something like System Monitor to find out what applications have memory.
> 
> I also be on the lookout for unexpectedly high internet traffic.
> 
> This message is off-topic, because it is not specific to Fedora.
> I thought it wouldn't hurt to let people know of this type of attack.
> I hope people don't object to this off-topic post.