[VoiceOps] Growing attack pains
Mark R Lindsey
lindsey at e-c-group.com
Mon Jan 10 12:19:15 EST 2011
How large would this product have to scale? And I'm not sure I completely understand your syntax, "Block on N" or "Block N".
I have a hunch the CAM/Network Processor DoS features in the Acme Packet OS-C SD platforms could come close. Once traffic is matched as bad, the source of the bad traffic (based on an IP address and port number) can be demoted to the black-list. This blocks traffic before it enters the SD CPU.
When a demotion occurs, the SD sends a trap. There's your alert.
By default, when designing a network with OS-C, we expect the SIP registrar or proxy to be smart enough to reject failed attempts. In this case, the registrar/proxy rejects the transactions (returning SIP 4xx messages). If the failing source continues to make failing requests, the SD can automatically blacklist the source.
For example, if the SIP registrar refuses five REGISTERs in a row, then the SD can detect that and automatically demote without having to understand why. This is a standard feature on OS-C and wouldn't require any creative mangling.
However, if you wanted to use the SD's own CPU to determine whether the SIP request is bad, there may be a way. Perhaps you could use a SIP Manipulation Rule to (a) match SIP that you find offensive, then (b) mangle it to make it invalid, unparseable SIP. The invalid SIP could hit the invalid-signal-threshold, causing a blacklist of the source. I'd want to do a proof-of-concept before I was certain this is workable, though. And you can be sure this processing would consume significant SD CPU time.
If any other vendors have a similar feature they'd like us to evaluate, contact me offline.
mark at ecg.co | +1-229-316-0013 | http://ecg.co/lindsey
On Jan 10, 2011, at 11:53 AM, J. Oquendo wrote:
>
> I'm in the market for something to place in front of an SBC (modules
> would be nice, e.g., Asterisk module, Avaya module, etc.) The device
> will need to do the following:
>
> Block on N ... Block N amount bad attempts indefinitely and alert
> Block on Prefix ... If PREFIX is anywhere in SIPURI/ANI/CID, block
> (country specific would be nice)
>
> We are having a hard time keeping up with the attack vectors here. We
> recently saw a compromise from Egypt where the password was 15
> characters mixed numbers, letters and symbols. So obviously longer
> passwords aren't even an issue anymore.
>
> --
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
>
> "It takes 20 years to build a reputation and five minutes to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
>
> 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
More information about the VoiceOps
mailing list