Asterisk and obfuscated SIP port redirection - calls drop after 20 seconds
Posted by Admin • Tuesday, October 5. 2010 • Category: Asterisk
One of my asterisk setups got attacked recently by a brute force script kiddie. The attack is simple:
Why this works:
To deal with this:
- Try sequential sip usernames from 1 to 10000, hoping that the admin chose a numeric username scheme
- If asterisk returns anything but a 401, then perhaps this is a real account, add it to the list
- If anything is on the list of "possibles", then brute force their passwords
Why this works:
- Asterisk has no delay for failed logins, so a brute force attack is viable, hundreds of attempts per second are possible. Not sure what can be done about this
- The admin didn't set alwaysauthreject = yes in sip.conf. It's off by default, why??? With this enabled, there is no way to tell if a username is valid from the reject response
To deal with this:
Continue reading "Asterisk and obfuscated SIP port redirection - calls drop after 20 seconds"
