SIP attacks Nov 03, 2020


#1

Any travelinman users here? Anyone getting SIP attacks “reject-with icmp-port-unreachable” even you have whitelist ? im getting like 15k attempts already


#2

post a couple perhaps ?


#3


#4

These are not actual attacks, but a list of hosts that fail2ban has identified as rogue and blacklisted, the active connection attempts are better seen in real time with sngrep, The lines with 1 in the Msgs column are the ones banned.


#5

i see. any way to block this on the IPTables ?


#6

They ARE already blocked by iptables, sngrep looks at the raw traffic before iptables, if you don’t want to see then, then don’t use UDP/5060 for SIP and they will gradually reduce to almost zero, because if you listen on that IP/port then your PBX will initially respond, then the attacker knows you have a voip server and will persist (and even share with their master, so the next attack will come from another IP), even if failban or other rules in iptables reject (or preferably drops) them, If you don’t use UDP/5060 then the attacker will just move as ‘there is nothing to see here’.


#7

In I disabled the ICMP request would that work ?


#8

No, it’s not a request, its a rather polite response, nothing will stop them flooding you until you stop using UDP/5060 ( note 107.173.219.37 and 3 , these are from a VPS hoster that has a /25 network. this particular command and control knows you have a PBX already, given your chain, so do several others, all the likely suspects are in it)


(TheWebMachine Networks (Sangoma Software Development Partner)) #9

For sure. This issue is amplified for our customers on AWS, since every AWS subnet is scanned non-stop by rogues looking for an easy target to pick at. We prefer using 65060, 65061, etc as our range for signaling. Not going to find much scanning those upper ports…and it gets around the blocking that many home ISPs employ on port 5060 - AT&T is famous for this, even on small business internet accounts - which can save much headache when connecting remote endpoints.


(TheWebMachine Networks (Sangoma Software Development Partner)) #10

Oh, and we also saw such a large spike in phreak/hack attempts across phone systems in the week leading up to the US election, we ended up putting out a notice to our customers to keep an extra eye out for it. Saw a couple systems get hacked last week, too…folks really need to stop using insecure EPM protocols and then exposing them to the internet. :man_facepalming: A couple even experienced direct Trunk hacks, too, entirely bypassing their PBX to place the calls…only reinforcing my complaint that not enough Trunk providers are offering TLS signaling.

Most of the increase in rogue activity (more than we typically see) was sourcing from Turkey, Iran, and Russia. It seems to have died back down to normal levels again now.


#11

is this still pjsip - sip but different port? I have hundreds of extensions to update to be the case currently using 5060


(Dave Burgess) #12

Yup - nothing changes but the port number.

Ouch - it depends on how you load your configs. For me, it’s a change to my DHCP server and ‘standard’ config that gets loaded to the phones, so it wouldn’t be too bad. If you are using EPM, you should be able to do this pretty simply be making a change to the default config file and forcing a reload.


#13

What happens for the trunks that using standard 5060 like vitelity ? Will still registers my DID ?


(Dave Burgess) #14

I don’t use Vitelity, so I can’t give you specific instructions, but the general case is that you change the port number on the page where you set your IP address. One way that works pretty commonly is to change your address from 1.2.3.4 to 1.2.3.4:9960, where 9960 is the new address you’re going to use…


#15

Although many VSP’s allow you to choose an arbitrary SIP signalling port, I don’t thing Voyent does, That is not a problem as trunks are not ‘listened to’ , they are either registered to or use IP auth, So although you would need your firewall to accept the Voyent INVITES on 5060 you should ‘pinhole’ those IP’s on 5060 and listen to your new non 5060/UDP more widely


(Jared Busch) #16

The signalling never sends a password in the clear even without TLS. That is not the issue. Granted I don’t know how strong the whole nonce process is for SIP registration, but the password is never sent in the clear.

For trunks, SIP registration itself needs to be not used. That fixes so many problems.

This is the real issue. So much stupid/bad out there with config files open to the public.


(Avayax) #17

If you use registration you can use a different SIP port with Vitelity.
If you use IP authentication only port 5060 will work.


(system) closed #18

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.