Hey all, For the past few couple of weeks, I've been trying to put together an "Asterisk Intrusion Detection/Prevention" program for Asterisk. So far I am able to mitigate subscribe attacks, bogus caller ID attacks, and am working on others. Would any other engineer be willing to dissect what I have (doing these in modules) and offer advice or modifications?
So far the parameters I am using for the registration spoofing is something like this: This is a spoofed message I created: SIP/2.0 404 Not found Via: SIP/2.0/UDP 192.168.1.128:5060;received=192.168.1.128 From: "1586" <sip:[EMAIL PROTECTED]> To: "1586" <sip:[EMAIL PROTECTED]>;tag=as7fd2ecda Call-ID: [EMAIL PROTECTED] CSeq: 101 REGISTER User-Agent: Asterisk PBX Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Content-Length: 0 I can tell based on Call-ID alone this should be blocked... But for legitimate registrations, what I decided for this was, if someone is registering more than one number in _X_ amount of times, say, +10 per second, indeed this user needs to be blocked. So I've been thinking about this, and it brings to mind, what if someone is doing some funky PAT/NAT, say a company? I wouldn't want to autoblock them but I would want to know what is going on, on the network... This is how I'm flow charting this portion... I've worked on, and am working on the messages piece-meal... Registers, Subscribes, Options, Notifies, etc... Any input is greatly appreciated. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
