[VoiceOps] VoIP Abuse Project

Jay Hennigan jay at west.net
Mon Sep 20 15:19:45 EDT 2010

On 9/20/10 9:38 AM, Leandro Dardini wrote:

> I am sorry, but I really don't understand how fail2ban can be used
> against me. The only drawback of fail2ban is when inside a large private
> organization using NAT and exiting on Internet with a single (or small
> pool of) IP, some evil colleagues can send a bunch of wrong REGISTER
> requests and trigger fail2ban to filter the IP preventing legitimate
> users from within the same organization to access your service. This can
> happen once, then the good sysadmin of the organization will snoop the
> traffic and catch the evil colleagues.

In most cases SIP transactions are UDP, hence trivially spoofed.  An
attacker can generate failed registration/authentication attempts
spoofed from your customer or peer IPs.  Fail2ban will then lock out
your legitimate traffic.

It can also cause issues where a single misconfigured phone or device
can cause an entire NAT site to be blocked.  Fail2ban can be a useful
tool but should be used with caution in this application.

Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

More information about the VoiceOps mailing list