[VoiceOps] VoIP Abuse Project

J. Oquendo sil at infiltrated.net
Mon Sep 20 14:57:18 EDT 2010 

Carlos Alvarez wrote:
>
>
> Leandro Dardini wrote:
>
>> I am sorry, but I really don't understand how fail2ban can be used
>> against me.
>
> It's a simple/easy DOS attack.  If someone can send packets with a
> spoofed source address, they can cause you to filter your upstream or
> your client.  For the upstream providers with static IPs, that should
> be easy to fix with a whitelist.  I don't believe that knowing your
> customers' dynamic IPs is a realistic attack.
>
> My experience with repeated attempts to crack SIP is that it only
> happens to us if we have simple registration names (IE, registration
> name is the extension number).  We've gone away from that completely
> and I can't recall the last time we saw someone try to brute force one
> of our accounts.  I see registration attempts against sequential
> numbers (301, 302, 303.....) but since the accounts simply don't
> exist, there's really little harm.
>
>

All one has to do is an nslookup and hit the field for fail2ban, e.g.:

Username "place an IP address RIGHT_HERE"@registrar

Care to see stupidity?

[2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE
TEXT FILE IN THE RAR FOR THE PASSWORD!!!@208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE
TEXT FILE IN THE RAR FOR THE PASSWORD!!!!@208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:17] NOTICE[8395] chan_sip.c: Registration from '"READ
THE TEXT FILE IN THE RAR FOR THE PASSWORD!!!!"<sip:READ THE TEXT FILE IN
THE RAR FOR THE PASSWORD!!!!@208.50.xx.xxx>' failed for '69.72.242.170'
- Device does not match ACL
[2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE
TEXT FILE IN THE RAR FOR THE PASSWORD!!!!@208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE
TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!@208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:17] NOTICE[8395] chan_sip.c: Registration from '"READ
THE TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!"<sip:READ THE TXT IN THE
RAR FOR THE PASSWORD!!!!!!!!!@208.50.xx.xxx>' failed for '69.72.242.170'
- Device does not match ACL
[2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE
TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!@208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:23] WARNING[8395] chan_sip.c: Bad request protocol
PASSWORD IS IN THE FILE at 208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:23] NOTICE[8395] chan_sip.c: Registration from '"THE
PASSWORD IS IN THE FILE"<sip:THE PASSWORD IS IN THE FILE at 208.50.xx.xxx>'
failed for '69.72.242.170' - Device does not match ACL
[2010-09-20 01:16:23] WARNING[8395] chan_sip.c: Bad request protocol
PASSWORD IS IN THE FILE at 208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:24] WARNING[8395] chan_sip.c: Bad request protocol
PASSWORD IS IN THE RAR at 208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:24] NOTICE[8395] chan_sip.c: Registration from '"THE
PASSWORD IS IN THE RAR"<sip:THE PASSWORD IS IN THE RAR at 208.50.xx.xxx>'
failed for '69.72.242.170' - Device does not match ACL
[2010-09-20 01:16:24] WARNING[8395] chan_sip.c: Bad request protocol
PASSWORD IS IN THE RAR at 208.50.xx.xxx SIP/2.0
[2010-09-20 01:16:24] NOTICE[8395] chan_sip.c: Registration from
'"this-is-a-password"<sip:this-is-a-password at 208.50.xx.xxx>' failed for
'69.72.242.170' - Device does not match ACL
[2010-09-20 01:16:24] NOTICE[8395] chan_sip.c: Registration from
'"this-is-a-stupid-password"<sip:this-is-a-stupid-password at 208.50.xx.xxx>'
failed for '69.72.242.170' - Device does not match ACL

Fail2Ban separates on fields, e.g., awk '{print $X}'

# awk '/[assword]/{print $15}' TodaysLogs|sort -u

-
1
'7182b14a1230885704b1002c09bc4774 at 208.50.xx.xxx'.
'79dfff0f0359dea6360a52270266be12 at 208.50.xx.xxx'.
'7fd16dc55ce9bd2173b95b5d38a2c301 at 208.50.xx.xxx'.
does
for
got
host=dynamic
IN
Inside at 208.50.xx.xxx>'
INSIDE!!!@208.50.xx.xxx>'
match
ME.TXT at 208.50.xx.xxx>'
mokey at 208.50.xx.xxx>'
packet.
"PASSWORD
PASSWORD!!!!!!!!!@208.50.xx.xxx
PASSWORD!!!!!!!!!"<sip:READ
READ
Response)
seconds
SIP/2.0
supposed
Text
TEXT
THE
TXT
up.
use

Normally, in Asterisk, my configuration should print an invalid address
on the 11th field:


# awk '/[assword]/{print $11}' TodaysLogs|sort -u

-
/
)@208.50.xx.xxx>'
.38
Bank at 208.50.xx.xxx>'
but
[By]
Ca at 208.50.xx.xxx>'
CALLED
chapparal at 208.50.xx.xxx>'
context
daddy?@208.50.xx.xxx>'
Day
DJP at l@@208.50.xx.xxx>'
Door at 208.50.xx.xxx>'
Dude at 208.50.xx.xxx>'
enjoy at 208.50.xx.xxx>'
expected.
FILE
for
freeliz.ru at 208.50.xx.xxx>'
future
hardNloud.co.nr at 208.50.xx.xxx>'
Head at 208.50.xx.xxx>'
Hidin'@208.50.xx.xxx>'
image
In
IN
Inside
INSIDE
Inside at 208.50.xx.xxx
INSIDE!!!@208.50.xx.xxx
Inside"<sip:Read
INSIDE!!!"<sip:READ
job
Know at 208.50.xx.xxx>'
ME.TXT at 208.50.xx.xxx
ME.TXT"<sip:READ
(missing
mokey at 208.50.xx.xxx
mokey"<sip:i
Muzik at 208.50.xx.xxx>'
-N-
Need
NEEDED at 208.50.xx.xxx>'
nj at 208.50.xx.xxx>'
nYoy at 208.50.xx.xxx>'
One
other
party
Pass at 208.50.xx.xxx>'
password
"PASSWORD
Password at 208.50.xx.xxx>'
peer
qualify:
.rar at 208.50.xx.xxx>'
.RAR!!!@208.50.xx.xxx>'
RAR at 208.50.xx.xxx>'
READ
reply
RTP
rund at 208.50.xx.xxx>'
SIP/2.0
Spot at 208.50.xx.xxx>'
THE
thejukejointmp3.net at 208.50.xx.xxx>'
to
tonight at 208.50.xx.xxx>'
tummut at 208.50.xx.xxx>'
UffePuff at 208.50.xx.xxx>'
Upon
useeeeeee at 208.50.xx.xxx>'
useless at 208.50.xx.xxx>'
vrijemp3.biz at 208.50.xx.xxx>'
Warez-BB.org at 208.50.xx.xxx>'
Weed at 208.50.xx.xxx>'
westpark at 208.50.xx.xxx>'

So no thank you on fail2ban.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the VoiceOps mailing list