Akom's Tech Ruminations

Various tech outbursts - code and solutions to practical problems

Asterisk Asterisk and obfuscated SIP port redirection - calls drop after 20 seconds

Posted by Admin • Tuesday, October 5. 2010 • Category: Asterisk
One of my asterisk setups got attacked recently by a brute force script kiddie. The attack is simple:
  1. Try sequential sip usernames from 1 to 10000, hoping that the admin chose a numeric username scheme
  2. If asterisk returns anything but a 401, then perhaps this is a real account, add it to the list
  3. If anything is on the list of "possibles", then brute force their passwords


Why this works:
  • Asterisk has no delay for failed logins, so a brute force attack is viable, hundreds of attempts per second are possible. Not sure what can be done about this
  • The admin didn't set alwaysauthreject = yes in sip.conf. It's off by default, why??? With this enabled, there is no way to tell if a username is valid from the reject response


To deal with this:

Continue reading "Asterisk and obfuscated SIP port redirection - calls drop after 20 seconds"