Personal tools
You are here: Home SIP brute force attacks
Navigation
Who is Tracy Reed?

I am a Linux enthusiast, a multi-engine instrument-rated pilot, and a traveller. I am interested in all aspects of computing and technology in general, especially Linux and Free Software. As an avid pilot I can be found somewhere over the skies of the southwestern US most weekends.  As a traveller I have been to many interesting places. Check out my photo gallery. Want to get me something cool? Check out my Amazon.com wish list!

 Tracy

 

SIP brute force attacks

by Tracy R Reed — last modified Dec 26, 2010 11:36 PM
Filed Under:

VOIP systems are under attack.

If you run a VOIP system accessible to the Internet you need to keep up on your system security. Over the last year I have seen an ever increasing amount of brute force attacks on SIP servers. Many systems have poorly chosen passwords which are being discovered via brute force guessing. The bad guys then route international phone calls to their phone company or calling card service through your phone system leaving you stuck with a huge bill. I personally knew someone who ended up with a $100k+ phone bill on his DS-3 line. VOIP providers are now making people sign contracts accepting all responsibility for charges incurred if the customer's VOIP system is breached.

Checking my own system logs I see 137,507 failed SIP REGISTER attempts over just the last 4 days.

In addition to choosing strong passwords (and why not, it isn't like human beings are going to be using these passwords, you program them into the phone) the only real solution (more of a band-aid, but a really good one) is to use a package like fail2ban (in the rpmforge repository if you use CentOS/Fedora as well as the standard apt-get repo for Debian/Ubuntu) to block too many failed register attempts in a row or to use a set of iptables rules like the following which I cooked up a long time ago and have used to remediate DOS attacks on HTTP, ssh brute forcing, and now SIP brute forcing. This does not detect failed registers but merely checks how many times a remote host sends a UDP packet to 5060 per amount of time. You may have to play with these numbers depending on how chatty your phones are. And be sure to whitelist generously. The chances of you whitelisting someone who will attack you are very small. The chances of locking out a legit client are decent. If someone can't register and you can't see their register attempts on the console check your packet filter. But it is worth it. Also keep an eye on your logs using some sort of log monitoring software (I wrote my own, used to have a website for it but not anymore, need to get it back up there) so you can know about failed/blocked registrations.

# Deal with SIP brute forcing
iptables -N SIP_WHITELIST
# home
iptables -A SIP_WHITELIST -s 1.2.3.0/24 -m recent --remove --name SIP -j ACCEPT
# voip provider
iptables -A SIP_WHITELIST -s 4.5.6.0/24 -m recent --remove --name SIP -j ACCEPT
# remote location
iptables -A SIP_WHITELIST -s 7.8.9.0/24 -m recent --remove --name SIP -j ACCEPT

iptables -N SIP_BRUTEFORCE
iptables -A SIP_BRUTEFORCE -m recent --set --name SIP
iptables -A SIP_BRUTEFORCE -p udp --dport 5060 -m state --state NEW -j SIP_WHITELIST
iptables -A SIP_BRUTEFORCE -m recent --update --seconds 30 --hitcount 3 --name SIP -j LOG
iptables -A SIP_BRUTEFORCE -m recent --update --seconds 30 --hitcount 3 --name SIP -j DROP

iptables -A INPUT -p udp --dport 5060 -m state --state NEW -j SIP_BRUTEFORCE
Document Actions