Hmmmm,
What a bright sunny day it was. Monday When I came to office and I just sat on my seat.
The fear that I had in mind has came alive.. :(
It was the recent SIP DoS attacks that I faced on one of our servers that used temporary to upgrade other servers.
Well the culprits has exploit our subnet and started to play around our network. After few minutes I'm being in the seat our PBX (asterisk server) went dead. no ssh , no responding , As we suspect It was a DoS attack, hmmmmmmmmmmmmmm... sigh....
Had to give a reboot to the server to bring back things up and running again.
Got the attackers ip in /var/log/asterisk/full under NOTICE lines which showed failed register attempts.
as usual blocked from iptables.
iptables -A blocked -s x.x.x.x -j DROP
Hmmm. I realize these fu*king script kiddies won't stop from there. It looks attack was originating from a single ip (differ on each attempts), But they flood more than four servers on the network at the same time, so it 's a DDoS as I understood, typical compromised corporate LANs which NAT everything to a single IP.
These bot-nets are used to run heavy scans on asterisk servers all around the globe.
Attackers use a script written in python , the svwar.py script is the one which scan and exploit weak extensions in your asterisk box.
http://code.google.com/p/sipvicious/
Well.... I just thought to modify my asterisk monitoring script to mitigate this shit !
To get rid of this fu*ker.....
Monday was over, next day (Tuesday) they had strike again. I have worked with our sysadmins to setup proper firewall to block any sip packets (REGISTER requests) that will flood the server and in the mean time I complete the below code snippet (in perl) to block this damn as* holes... :)
##############################################
my @matching_lines =`grep 'Registration from .* failed for .*' /var/log/asterisk/messages /var/log/asterisk/messages.1`;
foreach $line (@matching_lines){
($s1,$s2) = split(/ failed for /,$line) ;
($s3,$s4) = split(/-/,$s2);
$s3 =~ s/'//g; # you get the attackers IP from here
$blacklist{$s3} +=1;
}
foreach $ip (keys %blacklist){
print "From $ip\t hit =".$blacklist{$ip}."\n";
if($blacklist{$ip} > 5000){
print "Blocking IP $ip\n";
$ipalert = `grep $ip /etc/blacklistips`;
if($ipalert== ""){
if(!($ip =~ m/^(subnets_that_u_wanna_exclude)/)){
`iptables -A blocked -s $ip -j DROP`;
`echo -e "Block the IP $ip Immediately\n SIP REGISTER HIT =$blacklist{$ip}\n"|mail -s " SIP Flood Alert" emailaddr `;
open(BLKLSTFILE, ">>/etc/blacklistips");
print BLKLSTFILE "$ip\n";
close(BLKLSTFILE);
}
}
}
}
##############################################
well the script worked like an angel :) charming one .. :D :D
By the time sysadmins had put nice set of iptables rules to block flooding hits.
iptables rule are as below,
we had chains calls asterisk,asterisk.reg and lognrej. this was append under the 'filter' table
--------------------------------------------------------------------------------------------------------
-A asterisk -j asterisk.reg -s 0.0.0.0/0 -m string --algo bm --string "REGISTER" --from 28 --to 100
-A asterisk -j ACCEPT -s 0.0.0.0/0
-A asterisk -j lognrej
-A asterisk.reg -j accept_request_from_you_network
-A asterisk.reg -j lognrej
Well ! theses helped to stopped those annoying dumb script-kiddies
I hope you guys get something or nothing ;) out of this for making your life bit easier in this kinda situations
:D :D
See ya folks .......
Wednesday, December 15, 2010
Subscribe to:
Posts (Atom)
