SIP attack with fake header

Hi I am from Japan.

Our SIP server was attacked last weekend.
In fact SIP invite attack is from 193.107.xxx.xxx.
But From header is 133.242.xxx.xxx.
This is manipulated fake header.
133.242.xxx.xxx is our IP address.

It seems Fail2ban does not work in this case.
log size was very increase with this attack on cloud server.

Does Fail2ban support SIP attack with fake SIP header?
I have seen information on internet how to output real IP address of attacker to log of Asterisk before.

Best regards

There is nothing fake about the From header not matching the source IP address. Using the From header for anything except a user name to match against a password is pretty pointless in security terms.

I do seem to remember a rather similar question, maybe a couple of months ago, on this forum.

Thank you for response.

I have seen attack with From header is 0.0.0.0 or 1.1.1.1 before.
Fail2ban has blocked these IP addresses.
But this is not mean anything.

I would like to know how to block like similar attack using Fail2ban on FreePBX.

I would like to know how to block like similar attack using Fail2ban on FreePBX.

Just don’t open your FreePBX to the world.

This is the thread I was thinking about, although it seems to have petered out before it was established why the security log wasn’t working for its OP:

Thank you for information of thread.
In my case, sngrep displayed source address of attackers.
I have blocked that address using packet filter of cloud infrastructure.

Yes. sngrep did the job to me as well.
It needs live sip debug(with sngrep) in order to retrieve attackers source ip.

I just hoped my issue would draw more attention as it’s sort of critical and because isnt detected by fail2ban.

I have read that Asterisk16 and pjsip will output real IP address of attacker to log file correctly.
In case of that Fail2ban works perfectly.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.