Re: [fw-wiz] SIP dictionary attacks



I'm using openbsd as my firewall, in which there is a connection/time
feature. I can set it to block any ip that makes X connection with in
X time. for instance if someone connects to my ssh port more than 3
times in 30 seconds, they get blocked, since your on sip, you could do
like say, anyone connecting more than 5 times in 5 minutes gets
blocked, sip usually doesnt have that many connections, it just
connects then its up sorta thing.

I believe there is a version of this in iptables, but ive never seen
it in a hardware firewall.

That is at least how i solved the problem you face.



2009/4/1 Paul D. Robertson <paul@xxxxxxxxxxxx>:
Well, besides losing my voice which has given me a little time to catch up
on things, one of my problems last week was a successful dictionary attack
against a SIP extension with an eight digit password.

Obviously, I've changed the passwords and lengths, but I did want to make
sure folks knew that there were active attacks out there, and they're
obviously scanning for systems randomly, since the system in question was
only recently moved to a new IP address space.  The initial scans came
from a box in China (surprise!)

Anyway, all I've found for blocking outside of static IP address ranges is
a bunch of check the logs and react stuff for Linux.  I'm starting to
think IPS might actually have a use- time to Google for snort inline sutff
I suppose.

Attackers made about calls out to people telling them they owed money.
Calls were initiated from Europe, Asia and the US.  Likely from
compromised hosts.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul@xxxxxxxxxxxx       which may have no basis whatsoever in fact."
          Moderator: Firewall-Wizards mailing list
          Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
    (Full-Disclosure)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)
  • Re: Can I protect myself against network attacks?
    ... > I guess that was one purpose of the attack. ... > had happened if you just used the SP2 firewall which does not warn you ... back, I've seen the firewall crash before my eyes, without warning. ... network attacks, or trojans. ...
    (comp.security.firewalls)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... >>million doesn't change my action of deploying a firewall ONCE. ... They keys can be obtained ... > What I suspect is that you think a special attack will be developed ... the firewall helps protect us. ...
    (comp.os.linux.misc)
  • Re: I was hacked
    ... Only me noticing that the requests seemed to come from a LAN? ... To secure IIS somewhat, remove all the virtual directories even if they are ... > Do you have some kind of application level firewall on this machine? ... a series of attempts to attack IIS that the IIS log claimed were coming ...
    (microsoft.public.inetserver.iis.security)