[ale] SIP attack

Derek Atkins warlord at MIT.EDU
Fri Oct 15 11:07:21 EDT 2010


Chris Fowler <cfowler at outpostsentinel.com> writes:

> Our PBX was attacked and hacked.  Lost about $72 in SIP charges.  I've
> implemented fail2ban and have changed our passwords.  Looking at other
> things to do as well.
>
> I know fail2ban works because there was an attempt today and fail2ban
> did exactly what it should.

Sorry to hear that their attack was successful.  I've seen similar
attacks against my asterisk server.  I've got a script set up using
swatch to implement IP banning.  I was going to look at fail2ban but
didn't want to spend the time to learn a new tool.

One thing to be careful about using these tools are DoS attacks against
your real upstream VoIP provider.  SIP is UDP based, so an attacker
could forge the source IP as that of your VoIP provider and thereby call
fail2ban to block your real service provider.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available


More information about the Ale mailing list