MikroTik

Hi,

Sorry I am new to the forum so let me know if I add this topic to the incorrect section.

I am using an RB1200 v5.21 and trying to setup a firewall to block unwanted SIP traffic / attacks to my Asterisk server, withouth blocking the IP´s from the genuine customers.
Have tried to block IP addresses after 15 x content="SIP/2.0 401 Unauthorized within a certain period of time but eventually this will also block my genuine customers as sip traffic alway responds with content="SIP/2.0 401 Unauthorized before connecting. (also tried same method with 403 Forbidden)

Does anyone know a good method to block unwanted SIP traffic on the Mikrotik Firewall without blocking the IP addresses of genuine customers?
Also allowing only the customers IP addresses is not an option as they take their VoIP phones with them to different locations.

Thank you,

Martijn.

You can use SPI on new connections with:
What this does is watch for new sip registration connections on port 5060 and if they can't get a successful handshake with your sip server within 15 seconds (authentication should only take 3 seconds or less) then they're IP is banned for 1 day. This actually works with other servers such as SSH, FTP, etc.

Hi Aaronhun22.
I have been testing it and it seems work well in a small test envirement, now going to implement it on our main routers.
I have been trying to find a good solution for a while now and have tried all sorts of complicated things.
Yours however seems fairly simple, yet most effective solution yet.

Thanks a lot,

Martijn.

Unfortunately we found this not to work after doing more testing.
All the rule does is block an IP if there is a second connection coming in from the same IP within 15 seconds. (despite registration).
If a customer would try to register 2 or more SIP devices at the same time his IP would get blocked.

Any other ideas are much appreciated.

You can change the timeout to more than 15 sec. Also if 1 IP already has a registered phone and a new one tries it will start a new 15 sec trial. Its like you said; connections are only blocked during the 15 sec trial. 15 is long since registration usually takes only 3 sec per device.

Ok, but we have locations with over 20 sip devices.
If the router reboots, they will all try to register at the same time and the IP will definately get blocked.

I can't answer for your PBX but I do know that on Asterisk when a SIP extension connection is lost they don't reregister when the connection comes back online because Asterisk already knows the IP address of the incoming extension. So for your router SPI wouldn't treat these connections as new since they're already established.

Great filters thank you.

I have a odd problem though: although the drop rule on the forward chain gets 200 hits/second - the packets are still forwarded and NOT dropped. What could cause this?