Community discussions

MikroTik App
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

PAYPAL CASH REWARD!! Filter to block rouge SIP registration

Mon Oct 18, 2010 8:08 pm

Hi All,

Lately (almost everyday), I have seen SIP registration attempt on our Asterisk SIP servers. The following are asterisk message log.

Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9973"<sip:9973@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9975"<sip:9975@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9979"<sip:9979@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9980"<sip:9980@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9983"<sip:9983@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9984"<sip:9984@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9985"<sip:9985@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9986"<sip:9986@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9987"<sip:9987@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9988"<sip:9988@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9989"<sip:9989@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9990"<sip:9990@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9991"<sip:9991@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9992"<sip:9992@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9993"<sip:9993@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9994"<sip:9994@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9995"<sip:9995@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9996"<sip:9996@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"9999"<sip:9999@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch
Oct 17 23:52:29 NOTICE[4570] chan_sip.c: Registration from '"10000"<sip:10000@XX.99.71.ZZ>' failed for '203.86.167.220' - Username/auth name mismatch

The rouge hacker are simply using scripts to attempt SIP account registration from 1-10000 and this blog down the asterisk trying to respond to a burst of hundreds of attempt in a seconds.

The filter #8 was in place to block attempt from sip_blacklist. Filter #9 attempt block any UDP packet destined for port 5060-5099 with a 1secs. burst of 25 attempt, by the destination address. The last filter #10 will add rogue hacker to the sip_blacklist. Please note that I intend to use the filter to block sip registration on all asterisk server behind the Mikrotik router. Did I screw up by using the INPUT and OUTPUT chain, as the Rule 8-10 does not work.

8 ;;; Drop SIP brute force registration
chain=input action=drop protocol=udp src-address-list=sip_blacklist dst-port=5060-5099

9 chain=output action=accept protocol=udp dst-port=5060-5099 dst-limit=1,25,dst-address/1m

10 chain=output action=add-dst-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099

I would very much appreciate if you could comment and point me to the right syntax to implement SIP registration hack attempt.

Thank you very much and Have a Nice day all :D
Last edited by mrwes88 on Tue Oct 26, 2010 7:26 am, edited 4 times in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Filter to block rouge SIP registration attempt ?

Tue Oct 19, 2010 10:05 am

To block packets that go through the router, chain should be "forward".
 
pbel88
just joined
Posts: 9
Joined: Wed May 23, 2007 8:19 am

Re: Filter to block rouge SIP registration attempt ?

Tue Oct 19, 2010 9:21 pm

I'm having the same problem. But cannot find a way to make UDP port 5060-5099 to be recognize by the filter rule.

4 ;;; Drop sip brute force registration
chain=forward action=drop protocol=udp
src-address-list=Detected VoIP Hack dst-port=5060-5099

5 chain=forward action=accept protocol=udp dst-port=5060-5099
dst-limit=1,25,dst-address/1m40s

6 chain=forward action=add-dst-to-address-list protocol=udp
src-address-list=!Inside-IPs address-list=Detected VoIP Hack
address-list-timeout=4w2d dst-port=5060-5099

Nothing seems to be filtered.
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

Re: Filter to block rouge SIP registration attempt ?

Wed Oct 20, 2010 1:51 am

I'm having the same problem. But cannot find a way to make UDP port 5060-5099 to be recognize by the filter rule.

4 ;;; Drop sip brute force registration
chain=forward action=drop protocol=udp
src-address-list=Detected VoIP Hack dst-port=5060-5099

5 chain=forward action=accept protocol=udp dst-port=5060-5099
dst-limit=1,25,dst-address/1m40s

6 chain=forward action=add-dst-to-address-list protocol=udp
src-address-list=!Inside-IPs address-list=Detected VoIP Hack
address-list-timeout=4w2d dst-port=5060-5099

Nothing seems to be filtered.
Hi,

Per suggestion posted, I've updated the chain to "forward" and it seems to take the update.

8 ;;; Drop SIP brute force registration
chain=forward action=drop protocol=udp src-address-list=sip_blacklist dst-port=5060-5099

9 chain=forward action=accept protocol=udp dst-port=5060-5099 dst-limit=1,10,dst-address/1m

10 chain=forward action=add-dst-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099

You have mentioned "make UDP port 5060-5099 to be recognize by the filter rule", are you not able to update the rule or what seems to be your issue here ?

Thanks.
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

Re: Filter to block rouge SIP registration attempt ?

Wed Oct 20, 2010 2:00 am

To block packets that go through the router, chain should be "forward".
Hi,

Will appreciate if you could comment on the 3 filter rules posted earlier, will this stop rouge scripts/server from attempting
to request for a SIP registration with the Asterisk server ?

Thanks.
 
pbel88
just joined
Posts: 9
Joined: Wed May 23, 2007 8:19 am

Re: Mikrotik filter blocking rouge Asterisk SIP registration

Wed Oct 20, 2010 8:40 pm

I've changed my rules to indentify and route traffic UDP 5060-5099. But still nothing seems to be filtered. Bytes and packets counter are at 0. You can look at the picture attached.
counter.GIF
4 ;;; Checking for VoIP protectin
chain=forward action=jump jump-target=Protect VoIP protocol=udp
dst-port=5060-5099

5 chain=Protect VoIP action=accept protocol=udp dst-port=5060-5099
dst-limit=1,25,dst-address/1m40s

6 chain=Protect VoIP action=add-dst-to-address-list protocol=udp
src-address-list=!Inside-IPs address-list=Detected VoIP Hack
address-list-timeout=4w2d dst-port=5060-5099

7 chain=Protect VoIP action=drop protocol=udp
src-address-list=Detected VoIP Hack dst-port=5060-5099
You do not have the required permissions to view the files attached to this post.
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

Re: Mikrotik filter blocking rouge Asterisk SIP registration

Thu Oct 21, 2010 4:49 pm

Mikrotik_SIP_Filter.png
My 2nd rule seems to work somewhat, but it failed to capture the hacker's source IP address to the filter list.
Will anyone from Mikrotik care to offer any advise or suggestion on getting a working filter to block rouge SIP registration.

I will offer a PayPal cash bounty of USD100 for your effort if the submission is tested
and proven to filter and block rouge hacker's SIP registration attempt . You effort will
be rewarded, please PM me directly or post it here 8)

Thank you.
You do not have the required permissions to view the files attached to this post.
 
pbel88
just joined
Posts: 9
Joined: Wed May 23, 2007 8:19 am

Re: REWARD! Filter to block rouge Asterisk SIP registration

Fri Oct 22, 2010 12:16 am

I'll give 50$ trough Paypal either!
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: REWARD! Filter to block rouge Asterisk SIP registration

Fri Oct 22, 2010 1:03 am

I can do it. Do you want to block failed registrations, or failed invites? They are not the same...
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
pbel88
just joined
Posts: 9
Joined: Wed May 23, 2007 8:19 am

Re: REWARD! Filter to block rouge Asterisk SIP registration

Fri Oct 22, 2010 1:57 am

I can't tell you if it's to block failed registrations, or failed invites?

All I can tell is that I get several attemps in a short period of time. Look at the log below. Those attempts can be as high as 70 requests per seconds. All I want is to be able to trigger, tag hacker, drop and ban future attempts and hacker if the amount of request is higher than 50 or customizable threshold per second. You can see that they are all coming from the same IP. If you see a better way of doing it, feel free to tell.

[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"andrew"<sip:andrew@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"hello"<sip:hello@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"maggie"<sip:maggie@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"monday"<sip:monday@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"pascal"<sip:pascal@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"Smokey"<sip:Smokey@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"baseball"<sip:baseball@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"daniel"<sip:daniel@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"diamond"<sip:diamond@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"joshua"<sip:joshua@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"michelle"<sip:michelle@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"mike"<sip:mike@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"silver"<sip:silver@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"Friends"<sip:Friends@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"George"<sip:George@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"falcon"<sip:falcon@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"fuckyou"<sip:fuckyou@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
[Oct 15 23:00:56] NOTICE[16142] chan_sip.c: Registration from '"pepper"<sip:pepper@192.168.88.20:5060>' failed for '184.106.247.188' - No matching peer found
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

Re: REWARD! Filter to block rouge Asterisk SIP registration

Fri Oct 22, 2010 8:28 pm

I can do it. Do you want to block failed registrations, or failed invites? They are not the same...
The following would be the logic

. Check "SIP blocked" filter list, if src-add = IP found in list. Drop packet.
. If packet from same src- add > 20/50 per seconds burst for 5060 SIP registration (failed) or SIP invites (failed)
block src-address for X secs
. Add src-add to "SIP blocked" filter list.

Thanks.
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

Re: REWARD! Filter to block rouge Asterisk SIP registration

Tue Oct 26, 2010 7:24 am

No taker for the bounty ??? No one has a solution ???
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Tue Oct 26, 2010 6:56 pm

This is a first stab, it is by no means complete. But we can expand on it to fit your needs. After running this for a weekend I see 8 IP addresses in my list. You need to whitelist your SIP server (sip-auth) just in case, as well as any clients that seem to have problems with this. You then use the forward chain to drop packets in the sip-not-auth address-list:

/ip firewall mangle
add action=add-dst-to-address-list address-list=sip-not-auth \
address-list-timeout=2d1h chain=forward comment=\
"SIP Not Authorized Checking" connection-bytes=0-2048 content=\
"SIP/2.0 401 Unauthorized" disabled=no dst-address-list=!sip-auth \
dst-limit=5,5,dst-address/30s in-interface=YOURWANPORT protocol=udp \
src-address=YOUR.PBX.SOURCE.ADDRESS src-port=5060-5069

If this isnt stable enough, I would suggest using a script on the linux box to parse the SIP log and use a port knock to Mikrotik to block them. If you want help doing it this way let me know.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
mrwes88
just joined
Topic Author
Posts: 7
Joined: Mon Oct 18, 2010 7:53 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Wed Oct 27, 2010 9:51 pm

Hi Changeip,

Thanks for your post, will appreciate if you could PM me with your contact.
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Thu Oct 28, 2010 12:46 am

sam at ChangeIP.com is my email
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
poxx
newbie
Posts: 27
Joined: Sun Apr 18, 2010 12:16 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Fri Dec 17, 2010 12:29 am

Read this :
http://www.sunshinenetworks.com.au/how- ... knock.html

It fixes your exact problem.

Cheers.
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Fri Dec 17, 2010 2:07 am

thats a good idea. if you know the clients who are registering and dont mind manually helping them get setup the first time that works well.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
pbel88
just joined
Posts: 9
Joined: Wed May 23, 2007 8:19 am

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Wed Sep 07, 2011 6:09 pm

Adding this line "alwaysauthreject=yes" to sip.conf helped big time.
 
User avatar
Giepie
Member
Member
Posts: 432
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Mon Feb 24, 2014 1:03 am

Hi guys

I know this is an old threat, but hopefully someone could help me out here.

I don't have a problem "catching" the SIP (UDP:5060) hackers, but I do have a problem rejecting them.

What I mean is this:
If I create a single filter rule with the hacker's IP as source, the counters goes ballistic, so I'm happy that any traffic from that IP will be "cought". But when trying Drop or Reject (with all its sub options), my external interface is still transmitting full blast (maxing out my outbound bandwidth).

I do understand that you don't have much control over traffic between your router and the Internet (your firewall only applies to traffic reaching the "inside" of your router), but surely there should be a way to make the hacker "give up" trying?

Eg:
2 chain=forward action=reject reject-with=icmp-network-unreachable src-address=188.0.0.0/8 in-interface=pppoe-out1

I redialed the PPPoE connection (to drop all established connections), but after a few seconds the hacker just comes back for more. I ended up creating a queue to limit that IP to 1bps up/down.

It's been a long day and I'm really tired, perhaps I'm missing the obvious, any help (even if you just shake me awake) would be extremely welcome!

Thanks a stack guys! G
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....
 
miahac
Long time Member
Long time Member
Posts: 515
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Tue Jun 03, 2014 2:14 am

This is a first stab, it is by no means complete. But we can expand on it to fit your needs. After running this for a weekend I see 8 IP addresses in my list. You need to whitelist your SIP server (sip-auth) just in case, as well as any clients that seem to have problems with this. You then use the forward chain to drop packets in the sip-not-auth address-list:

/ip firewall mangle
add action=add-dst-to-address-list address-list=sip-not-auth \
address-list-timeout=2d1h chain=forward comment=\
"SIP Not Authorized Checking" connection-bytes=0-2048 content=\
"SIP/2.0 401 Unauthorized" disabled=no dst-address-list=!sip-auth \
dst-limit=5,5,dst-address/30s in-interface=YOURWANPORT protocol=udp \
src-address=YOUR.PBX.SOURCE.ADDRESS src-port=5060-5069

If this isnt stable enough, I would suggest using a script on the linux box to parse the SIP log and use a port knock to Mikrotik to block them. If you want help doing it this way let me know.
I think the original solution is more efficient, as it is just looking for total connections per second instead of deep inspection. It also would block the new sip attack where an inbound call is placed as part of the scan, and any other types of anonymous 5060 traffic. But if it has no affect I will give this a try.
Network Consultant in Wichita, KS
 
miahac
Long time Member
Long time Member
Posts: 515
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Tue Jun 03, 2014 9:52 pm

Argh, no wonder you all kept asking about this ruleset. I found one MAJOR error, but I am still not getting the results I want. The major error is that you should not be blocking dst but the src

10 chain=output action=add-src-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099

Either way, in psudo here is what I think we are trying to accomplish:

0. If address is in sip_blacklist BAN AND BURN IP COMPLETELY
1. If traffic is to port 5060-5099 and source IP is in sip-allow; accept
2. If traffic is to port 5060-5099 and connections/second under X; accept
3. If traffic is to port 5060-5099 and connections/second is over X; add source of traffic to sip_blacklist

I keep getting good ips added to the ban list even ones in the white list, so I have disabled rule 0 for now. Does the accept rule not skip subsequent rules?
Network Consultant in Wichita, KS
 
miahac
Long time Member
Long time Member
Posts: 515
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Tue Jun 03, 2014 10:07 pm

Ok I changed the rules a bit and now I am not flagging safe addresses. But I am still flagging customers

Export
add action=drop chain=forward disabled=yes src-address-list=sip_blacklist
add chain=forward src-address-list=sip-safe
add chain=forward dst-limit=1,120,dst-address/1m dst-port=5060-5099 protocol=udp
add action=add-src-to-address-list address-list=sip_blacklist address-list-timeout=4w2d chain=forward dst-port=5060-5099 limit=0,0 protocol=udp
Print
78 X chain=forward action=drop src-address-list=sip_blacklist 
79   chain=forward action=accept src-address-list=sip-safe 
80   chain=forward action=accept protocol=udp dst-port=5060-5099 dst-limit=1,120,dst-address/1m 
81   chain=forward action=add-src-to-address-list protocol=udp address-list=sip_blacklist address-list-timeout=4w2d dst-port=5060-5099 limit=0,0 
Network Consultant in Wichita, KS
 
miahac
Long time Member
Long time Member
Posts: 515
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Tue Jun 03, 2014 10:19 pm

sip scanners still not getting listed in the black list:
ip firewall connections
You do not have the required permissions to view the files attached to this post.
Network Consultant in Wichita, KS
 
User avatar
ocgltd
newbie
Posts: 42
Joined: Sun Sep 02, 2012 12:53 am
Location: Ontario, Canada

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Wed Jun 04, 2014 5:21 pm

Take a look at SecAst (http://www.telium.ca?secast). It watches for a variety of SIP attacks, can block based on geographic source of IP, watch for unusual calling patterns, etc. And best of all, it can talk to a MikroTik router to manage a list of blocked IP's.

It's Asterisk specific (but based on the error messages you posted you're running Asterisk)

---

EDIT: Note URL changed to www.telium.ca for this vendor.
Last edited by ocgltd on Sun May 24, 2015 3:52 pm, edited 2 times in total.
 
spaxton
Member Candidate
Member Candidate
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Mon Feb 16, 2015 1:47 pm

Take a look at SecAst (http://www.generationd.com). It watches for a variety of SIP attacks, can block based on geographic source of IP, watch for unusual calling patterns, etc. And best of all, it can talk to a MikroTik router to manage a list of blocked IP's.

It's Asterisk specific (but based on the error messages you posted you're running Asterisk)
Thanks for this link but this thing is too expensive! Mostly, those who use asterisk are NOT willing to pay 5000 USD for it.

Best Regards.
 
User avatar
ocgltd
newbie
Posts: 42
Joined: Sun Sep 02, 2012 12:53 am
Location: Ontario, Canada

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Thu Feb 26, 2015 5:23 pm

We've installed SecAst on call center and healthcare Asterisk servers (large scale installations). If you're targetting home/small office then FREE is certainly the way to go...
 
spaxton
Member Candidate
Member Candidate
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registrat

Thu Feb 26, 2015 6:25 pm

We've installed SecAst on call center and healthcare Asterisk servers (large scale installations). If you're targetting home/small office then FREE is certainly the way to go...
According to their official data, free SecAst won't communicate with mikrotik.
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registration

Fri Feb 27, 2015 12:26 am

I'm not sure if it would be possible to block these SIP messages using the router alone, even at layer 7.

Standard Registration is ->

REGISTER ->
<- 401 Unauthorized
REGISTER (With authentication) ->
<- 200 OK

INVITE ->
<- 401 Unauthorized
INVITE (With authentication) ->
<- 200 OK

401's are a normal part of the SIP dialogue.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registration

Fri Feb 27, 2015 1:28 am

I'm not sure if it would be possible to block these SIP messages using the router alone, even at layer 7.
The real danger is a customer with several SIP phones behind a single NAT. This would easily exceed the threshold

I would probably opt to use fail2ban on the Asterisk box itself.
If the Asterisk box has iptables installed, just firewall it right there.
If not, a "knock" packet would be easily done as well. - Just make fail2ban send a "strange" packet
of a certain size with a certain source - say UDP SrcAddr = 6.6.6.6 srcPort = 666 and Dst IP=(offender), Dst Port = 5060
Pad the packet to a recognizable size (666bytes? haha). Match these in the router and add dst-addr to ban list.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
spaxton
Member Candidate
Member Candidate
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registration

Fri Feb 27, 2015 10:45 am

I'm not sure if it would be possible to block these SIP messages using the router alone, even at layer 7.
The real danger is a customer with several SIP phones behind a single NAT. This would easily exceed the threshold

I would probably opt to use fail2ban on the Asterisk box itself.
If the Asterisk box has iptables installed, just firewall it right there.
If not, a "knock" packet would be easily done as well. - Just make fail2ban send a "strange" packet
of a certain size with a certain source - say UDP SrcAddr = 6.6.6.6 srcPort = 666 and Dst IP=(offender), Dst Port = 5060
Pad the packet to a recognizable size (666bytes? haha). Match these in the router and add dst-addr to ban list.
I am trying to make fail2ban work with mikrotik by adding the problematic addresses to the list. If I succeed, I will make a post with a detailed description. I started from here http://wiki.mikrotik.com/wiki/Use_Mikro ... n_firewall but this will not work as it is described on the link... It needs modifications.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registration

Fri Feb 27, 2015 5:13 pm

I am trying to make fail2ban work with mikrotik by adding the problematic addresses to the list. If I succeed, I will make a post with a detailed description. I started from here http://wiki.mikrotik.com/wiki/Use_Mikro ... n_firewall but this will not work as it is described on the link... It needs modifications.
That solution you linked to is for a no-password ssh session to log into the MT and executing commands.

You don't really need all of that - if you can make a bash script that sends an unusual packet from a packet generation utility, (e.g. sendip) then you're good to go. In my example, you could send a UDP packet with very specific values e.g.
src-IP = 7.7.7.7
src-port = 777
dst-IP = <guy-to-ban>
dst-port = 666

You should never receive such a packet from your ISP as the destination is not in your network, but if you want more security, you could make the contents of the packet have some sort of security phrase/hash to match against in the Mikrotik with the contents check in addtion to the stuff below. (Also a good idea if you're an ISP and have users behind this router able to send such packets maliciously)

Next you make a rule in forward chain that matches such packets, and adds dst-ip to the BANLIST
e.g.:
/ip firewall filter add chain=forward in-interface=<inward-facing interface> src-address=7.7.7.7 protocol=udp src-port=777 dst-port=666 dst-address-list=!UnBannable action=add-dst-to-address-list address-list=BANLIST address-list-timeout=2d

If you use the dst-address-list=!UnBannable criteria, then you can exempt addresses/networks from being banned by adding them to the UnBannable list.

Now you put two rules into the forward chain:
/ip firewall filter add chain=forward src-address-list=BANLIST action=drop
/ip firewall filter add chain=forward dst-address-list=BANLIST action=drop

Make sure the positioning of these rules in your forward chain makes sense.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
miahac
Long time Member
Long time Member
Posts: 515
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: PAYPAL CASH REWARD!! Filter to block rouge SIP registration

Sun Apr 12, 2015 7:38 pm

All your base are belong to them
I gave up and l2tp every customer with VPBX and let the core SIP proxy run fail2ban
Network Consultant in Wichita, KS

Who is online

Users browsing this forum: Bing [Bot] and 13 guests