Hi Everyone,
Noticing a potential issue with the responsive firewall. My understanding is that its supposed to rate limit failed registration/authentication attempts and then block them all together when they reach a certain threshold. However, I am observing these attempts in my logs:
29753[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65106’ (callid: abcdefgh12345678) - No matching endpoint found after 234 tries in 3.729 ms
29754[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65055’ (callid: abcdefgh12345678) - No matching endpoint found after 235 tries in 3.735 ms
29755[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65055’ (callid: abcdefgh12345678) - Failed to authenticate
29756[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65090’ (callid: abcdefgh12345678) - No matching endpoint found after 236 tries in 3.788 ms
29757[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65090’ (callid: abcdefgh12345678) - Failed to authenticate
29758[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65074’ (callid: abcdefgh12345678) - No matching endpoint found after 237 tries in 3.794 ms
29759[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65074’ (callid: abcdefgh12345678) - Failed to authenticate
29760[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65106’ (callid: abcdefgh12345678) - No matching endpoint found after 238 tries in 3.795 ms
29761[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65106’ (callid: abcdefgh12345678) - Failed to authenticate
29762[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65153’ (callid: abcdefgh12345678) - No matching endpoint found after 239 tries in 3.892 ms
29763[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65125’ (callid: abcdefgh12345678) - No matching endpoint found after 240 tries in 3.907 ms
29764[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65109’ (callid: abcdefgh12345678) - No matching endpoint found after 241 tries in 3.909 ms
29765[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65146’ (callid: abcdefgh12345678) - No matching endpoint found after 242 tries in 3.910 ms
29766[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65197’ (callid: abcdefgh12345678) - No matching endpoint found after 243 tries in 3.928 ms
29767[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65191’ (callid: abcdefgh12345678) - No matching endpoint found after 244 tries in 3.931 ms
29768[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65209’ (callid: abcdefgh12345678) - No matching endpoint found after 245 tries in 3.939 ms
I know the responsive firewall does work when I purposefully test failed registrations, My guesses are that maybe 1) the responsive firewall needs to be tuned on my end more 2) The responsive firewall can’t handle that many failed attempts in such a short period of time 3) Because the attacker is using a different source port with each attempt or group of attempts the responsive firewall is not designed to look for failed attempts from the same source IP but different source port?
Thoughts?