Uninvited guests

Discussions about using SIP Sorcery on your own computer/server
Nebukadnezar
Posts: 47
Joined: Tue Aug 10, 2010 1:46 pm

Uninvited guests

Post by Nebukadnezar » Sat Oct 23, 2010 7:20 am

On an average (server has been running for two months now) I find five attempts (only to port 5060) from uninvited guests to register to the server. These attempts are monitored by a WSH script that reads the SYSLOG from my router every hour, and the IP numbers of those attempts are added to an ACL named “Unwanted” so further access by those IP’s will be impossible. Last night this script found only a single attempt by a Korean IP: 175.118.124.236, but over a time span of 12 minutes it generated 10,000 requests to the SIP server. Of all the requests made the following ones are unique, the others just repetitions of the same:

Code: Select all

req OPTIONS from=100, to=100, udp:175.118.124.236:5060 False
req REGISTER from=2272000085, to=2272000085, udp:175.118.124.236:5115 False
req REGISTER from=1577873235, to=1577873235, udp:175.118.124.236:5117 False
req ACK from=125, to=125, udp:175.118.124.236:5115 False
req REGISTER from=Daichi, to=Daichi, udp:175.118.124.236:5117 False
req ACK from=127, to=127, udp:175.118.124.236:5115 False
req REGISTER from=Daiki, to=Daiki, udp:175.118.124.236:5117 False
req ACK from=128, to=128, udp:175.118.124.236:5115 False
req ACK from=Ai, to=Ai, udp:175.118.124.236:5117 False
req ACK from=129, to=129, udp:175.118.124.236:5115 False
req ACK from=Akane, to=Akane, udp:175.118.124.236:5117 False
req ACK from=130, to=130, udp:175.118.124.236:5115 False
req ACK from=Ami, to=Ami, udp:175.118.124.236:5117 False
req ACK from=Aoi, to=Aoi, udp:175.118.124.236:5117 False
req ACK from=131, to=131, udp:175.118.124.236:5115 False
req ACK from=Asuka, to=Asuka, udp:175.118.124.236:5117 False
req ACK from=132, to=132, udp:175.118.124.236:5115 False
req ACK from=133, to=133, udp:175.118.124.236:5115 False
req ACK from=Aya, to=Aya, udp:175.118.124.236:5117 False
req ACK from=134, to=134, udp:175.118.124.236:5115 False
req ACK from=Ayaka, to=Ayaka, udp:175.118.124.236:5117 False
req ACK from=135, to=135, udp:175.118.124.236:5115 False
req ACK from=136, to=136, udp:175.118.124.236:5115 False
req ACK from=Ayaka, to=Ayaka, udp:175.118.124.236:5117 False
req ACK from=137, to=137, udp:175.118.124.236:5115 False
req ACK from=Ayaka, to=Ayaka, udp:175.118.124.236:5117 False
req ACK from=Ayano, to=Ayano, udp:175.118.124.236:5117 False
req ACK from=141, to=141, udp:175.118.124.236:5115 False
req ACK from=143, to=143, udp:175.118.124.236:5115 False
req ACK from=145, to=145, udp:175.118.124.236:5115 False
req ACK from=Kotone, to=Kotone, udp:175.118.124.236:5117 False
req ACK from=146, to=146, udp:175.118.124.236:5115 False
req ACK from=Mai, to=Mai, udp:175.118.124.236:5117 False
req ACK from=150, to=150, udp:175.118.124.236:5115 False
req ACK from=151, to=151, udp:175.118.124.236:5115 False
req ACK from=152, to=152, udp:175.118.124.236:5115 False
req ACK from=153, to=153, udp:175.118.124.236:5115 False
req ACK from=154, to=154, udp:175.118.124.236:5115 False
req ACK from=2272000085, to=2272000085, udp:175.118.124.236:5115 False
req ACK from=1577873235, to=1577873235, udp:175.118.124.236:5117 False

Though the server processes the request appropriately (all denied), though I did got a lot of these in the error log:

2010-10-23 01:48:11,864 [sipchanneludp-9224] ERROR sipregistrar [(null)] - Register queue exceeded max queue size 1000, overloaded response sent.

these attacks do work as a DoS, as it's responsiveness to allowed request during the attack is considerably reduced.
I’m thinking about a module, placed before SipSorcery in the chain, that preprocesses incoming requests and updates the ACL in real-time. Increasing the frequency to read the SYSLOG and updating ACL would mean “more than once per minute” in the above scenario. The process would be very simple:

- Got request.
- Read sipaccounts
- If not available or not allowed update and rewrite router ACL and deny

Any other ideas are welcome.

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Re: Uninvited guests

Post by Aaron » Sat Oct 23, 2010 10:12 am

The probe you've described is the script kiddies looking for vulnerable Asterisk servers. The script uses a User-Agent header of "friendly-scanner", at least all the ones sipsorceyr.com has experienced. It can be easily blocked in your proxyscript.py proxy script by adding a line to reject SIP requests with that user agent header.

Code: Select all


if isreq:
  
  #===== SIP Request Processing =====

  if req.Header.UserAgent == "friendly-scanner":
   #sys.Respond(req, SIPResponseStatusCodesEnum.NotAcceptableAnywhere, "Piss off")
   pass

  else:
   ...
Note due to the way Python uses indentation if you add an if/else block to the top of your script you'll need to indent the rest of the script. Notepad++ is good for checking the indentation.

Nebukadnezar
Posts: 47
Joined: Tue Aug 10, 2010 1:46 pm

Re: Uninvited guests

Post by Nebukadnezar » Sat Oct 23, 2010 10:30 am

Thanks Aaron,

I'll add that for now. My concern is that I should prevent the server to be hit at a rate of 1,000 requests per minute. This will block them, but it will keep the proxy pretty occupied.

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Re: Uninvited guests

Post by Aaron » Sat Oct 23, 2010 10:42 am

Yes it would be slightly more efficient to block the requests before they got to the SIP Proxy but because the requests are dropped at the Proxy they don't get a chance to do anything that could put a load on the sipsorcery server such as run a dialplan or result in a database operation.

In addition with this particular attack if the script doesn't get a response it backs off on the number of requests it sends so if the proxy simply ignores the request rather than responding to it then what I've seen is the reate of requests goes to 1 every 10 seconds rather than 100's or 1000's a second.

Nebukadnezar
Posts: 47
Joined: Tue Aug 10, 2010 1:46 pm

Re: Uninvited guests

Post by Nebukadnezar » Sat Oct 23, 2010 1:26 pm

I agree that, in general, the ‘ignore’ approach works. I noticed that when I reconfigured my firewall rules to ‘drop’ instead of ‘deny’.

Silly question probably: What do I do after:

Code: Select all

if req.Header.UserAgent == "friendly-scanner":
   #sys.Respond(req, SIPResponseStatusCodesEnum.NotAcceptableAnywhere, "Piss off") # this (now) is a comment
   pass # this will pass control to the next statements, so the request will be processed yet?
   sys.exit() ?
or:

Code: Select all

if req.Header.UserAgent == "friendly-scanner":
   #sys.Respond(req, SIPResponseStatusCodesEnum.NotAcceptableAnywhere, "Piss off") # this (now) is a comment
    goto .endifreq
.
.
.
.
  #===== End SIP Request Processing =====
label .endifreq
else:
to exit the proxy script and make it ignore the current request?

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Re: Uninvited guests

Post by Aaron » Sat Oct 23, 2010 9:24 pm

Nebukadnezar wrote:Silly question probably: What do I do after:
You can use the goto approach if you like it. I don't know about the sys.exit() approach, does it work?

What I've done is put the existing dialplan into the else statement.

Code: Select all

if req.Header.UserAgent == "friendly-scanner":
  pass
else:
  rest of script.

Nebukadnezar
Posts: 47
Joined: Tue Aug 10, 2010 1:46 pm

Re: Uninvited guests

Post by Nebukadnezar » Sun Oct 24, 2010 5:04 am

I just put the sys.exit() in; it should raise an exception and do some cleanup and exit Python (os.exit raises no error and performs no cleanup). I just wait and see what happens when I get uninvited guests.

I think I will go with the next approach:

Code: Select all

while (isreq)
   if req.Header.UserAgent == "friendly-scanner":
   #sys.Respond(req, SIPResponseStatusCodesEnum.NotAcceptableAnywhere, "Piss off") # this (now) is a comment
   break # exit isreq
   .
   .
   complete body of 'isreq'
   .
   .
   #===== End SIP Request Processing =====
   break
Seems more elegant to me, and enables other mutual exclusive blocks to exit this section:

Code: Select all

if sipMethod == "REGISTER":
  .
  .
  break
if sipMethod == "SUBSCRIBE":
  .
  .
  break

if sipMethod == "NOTIFY":
  .
  .
  break
Still trying to figure out if Python supports 'case' statements

Nebukadnezar
Posts: 47
Joined: Tue Aug 10, 2010 1:46 pm

Re: Uninvited guests

Post by Nebukadnezar » Mon Oct 25, 2010 6:31 am

I just started with the Python language. Looking at the proxy script, I assumed (assumption being the mother of ……) “sys” meaning the “sys” module as documented in the Python documentation, so “sys.exit” ('SIPProxyScriptFacade' object has no attribute 'exit') does not work. Importing the “sys” module just for that purpose is not really an option, so I will go with the “while isreq:” option.

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Re: Uninvited guests

Post by Aaron » Mon Oct 25, 2010 9:03 am

Yes in hindsight the choice of "sys" for the sipsorcery proxy script facade object was probably not the smartest choice...

One other thing to be aware of with the python being used in the sipsorcery proxy script is that it's an IronPython variant which involves some differences in library and more esoteric feature support.

jvwelzen
Posts: 716
Joined: Thu Sep 11, 2008 1:56 pm

Re: Uninvited guests

Post by jvwelzen » Sat Nov 20, 2010 12:22 pm

Today I received the same messages in my root.log

Is there an example of the proxy script to block this

Code: Select all

2010-11-20 12:44:55,091 [sipregistrar-core1] DEBUG sipsorcery [(null)] - re: register result=DomainNotServiced, time=10.0144ms, user=2176162570.
2010-11-20 12:44:55,091 [sipregistrar-core1] DEBUG sipsorcery [(null)] - re: Register request for 62.145.70.41 rejected as no matching domain found.
2010-11-20 12:51:42,947 [sipchanneludp-1338] ERROR sipregistrar [(null)] - Register queue exceeded max queue size 1000, overloaded response sent.
2010-11-20 12:51:42,987 [sipchanneludp-1338] ERROR sipregistrar [(null)] - Register queue exceeded max queue size 1000, overloaded response sent.
Found another one

Code: Select all

2010-11-20 12:51:35,407 [sipregistrar-core1] DEBUG sipsorcery [(null)] - re: Forbidden 2245559228@huizenwireless.nl does not exist, udp:85.214.46.63:5121, friendly-scanner.
2010-11-20 12:51:35,407 [sipregistrar-core1] DEBUG sipsorcery [(null)] - re: register result=Forbidden, time=240.3456ms, user=2245559228.
2010-11-20 12:51:35,467 [sipchanneludp-1338] DEBUG sipsorcery [(null)] - re: Register queued for sip:2176162570@62.145.70.41.
Thanks in advance

Post Reply