VoIP industry attacks

Status
Not open for further replies.

rubberducky

Member
Aug 30, 2017
50
7
8
37
I know this has been going on for a while now, but I'm a late comer to this party.
So what I've been suffering from over here is two fold:
Massive ddos attack that overwhelms our fail2ban causing mass deregs.
Non stop call floods.

What are some of the ways to counter these issues?
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,383
364
83
The Federation of Communications Services (UK based) put a bulletin out about this a few weeks ago. If you are a member they have offered to look at logs etc with a view to getting the attackers closed down.

DDOS can be tricky to deal with especially if you are on the end of a limited bandwidth circuit, most people can only firewall at their end of the circuit so even if fail2ban blocks the attack, your circuit bandwidth is still consumed by inbound packets. Your service provider may be able to block at their end and thus protect your bandwidth - most good ones do.
 
  • Like
Reactions: rubberducky

bcmike

Active Member
Jun 7, 2018
326
54
28
53
If you're small (as in you don't have your own blocks) , you are going to have to rely on your upstream provider to head off most of the volumetric stuff. If practical you may also want to switch to a deny all posture and only allow a whitelist of known clients, although this is easier said than done in most cases. Another tactic might be to employ geo blocking, as in block everything from certain geographic locations that you know you are not serving.

Fail2ban can become cpu intensive if its getting slammed but a few well crafted iptables rules might help as iptables is more efficient.

I'm not an expert, just my .02
 
Jul 15, 2021
102
9
18
33
Change your default port for a starter, as an experiment, I ran a server on an obscure IP which has no domain registration on random ports and exposed only TLS - no one tried to connect, as soon as I switched it to run on default port with TCP/UDP, I could see IP's from Hongkong, registered to a East european VOIP consultancy trying to place calls randomly.
 
  • Like
Reactions: bcmike

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,383
364
83
@fusionpbxnoaudio I do agree with you, an obscure port does reduce the amount of attempted connections, in fact just switching to TCP can make a difference. However I have never been a fan of "security by obfuscation" - some malicious entity will find you eventually!

I employ a tactic similar to @bcmike on my direct SIP platform; using iptables, I allow a maximum of 10 packets within a given time period, after that the IP is blocked unless an accept rule is added as a consequence of a successful registration.
 
  • Like
Reactions: bcmike

francois

New Member
Oct 3, 2019
26
9
3
56
Hi @Adrian Fretwell ,

How have you implemented "allow a maximum of 10 packets within a given time period" and "an accept rule is added as a consequence of a successful registration" in your setup?

I assume you rule "allow a maximum of 10 packets within a given time period" is considering only IP that were not previously considered as a successful registration, right?

Many Thanks!
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,383
364
83
Hi @francois ,

The implementation is very simple, but bear in mind that this is implemented on my SIP Trunk platform which uses OpenSIPS, not FusionPBX or FreeSWITCH.

An set of iptables rules to implement hit counters could be set up as follows, make sure the counters are above any rule allowing established, related etc.:

Code:
iptables -A INPUT -p tcp --dport 5060 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 5060 -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j DROP
iptables -A INPUT -p udp --dport 5060 -m state --state NEW -m recent --set
iptables -A INPUT -p udp --dport 5060 -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j DROP

Then you could use a shell script to add accept rules above (in front of) the hit counters. The shell script will need to create a mutex (lock) so only one instance of it can run at once (I use directories and not files because directory creation is an atomic operation). The shell script will also need to check if the IP address already has an accept rule. Here is an example script, I named it osiptables:

Code:
#!/bin/bash
IPTABLES=/sbin/iptables
IPSUDO=/usr/bin/sudo
GREP=/bin/grep
WORDCOUNT=/usr/bin/wc
RMDIR=/bin/rmdir
MKDIR=/bin/mkdir
SLEEP=/bin/sleep
LOCKDIR=/run/lock/osiptables
LOCKED=0

function getlock {
     while [ $LOCKED -eq 0 ]; do
        if $MKDIR $LOCKDIR >/dev/null 2>&1; then
           LOCKED=1
        else
           while [ -d "$LOCKDIR" ]; do
              $SLEEP 0.2
           done
        fi
     done;
}

getlock

IPCOUNT=`$IPSUDO $IPTABLES -nL INPUT | $GREP -- "$1" | $WORDCOUNT -l`
if [ $IPCOUNT -eq 0 ]; then
  $IPSUDO $IPTABLES -I INPUT -s $1 -j ACCEPT
fi

$RMDIR $LOCKDIR
exit 0

Then in the OpenSIPS routing script, you just need to call the shell script when a successful registration occurs, I also log the IP addresses to a database table using the avp_db_query function:

Code:
# add firewall rule to whitelist ip addresses from users that register successfully
exec("/usr/local/bin/osiptables '$si'");
avp_db_query("INSERT INTO ip_register(account, ip_address) VALUES('$(au{s.escape.common})', '$si') ON DUPLICATE KEY UPDATE status='C', created_date=Now()");

I hope that is helpful.
 

Davesworld

Member
Feb 1, 2019
89
11
8
64
Since I use tls for most everything I can, I only allow the fixed IP of my home router to access port 5060, that cuts down on a tremendous amount of noise and call override attempts that come direct rather than through the CLECS via the SBCs that I use.. You don't need a lot of CPU power but it should be reasonable.
 

Zivk

Member
Apr 7, 2019
35
6
8
62
You can configure fail2ban to block IPs after fewer attempts and for longer time.

You can permit in your firewall (iptables or so) only IP addresses from your country (if your business is not global). IP lists per country: https://www.ip2location.com/free/visitor-blocker. iptables for example have no performance issue with several thousands rules.

You can analyze freeswitch / fail2ban logs and find addresses that consistently attack you, then block their CIDR /24 or so.

You can change the internal port from 5060 to something else thus reduce attacks to minimal level, the bad guys love 5060. Remember to configure fail2ban accordingly, not only freeswitch.
 
Last edited:
  • Like
Reactions: francois

pbz

New Member
Feb 10, 2022
9
0
1
124
If the phones are located at a place with a static ip address, would it help at all to go to Advanced->Domains and add a cidr entry for the static ip address?
 
Status
Not open for further replies.