Asterisk and obfuscated SIP port redirection - calls drop after 20 seconds
Posted by Admin • Tuesday, October 5. 2010 • Category: Asterisk
One of my asterisk setups got attacked recently by a brute force script kiddie. The attack is simple:
Why this works:
To deal with this:
These changes were relatively non-invasive, however there is an issue: Any external sip clients that should still be able to make calls from outside the local LAN now see the following:
and the audio drops after 20 seconds. In fact, asterisk drops the call, but the SIP client doesn't notice and keeps going. This is not specific to any type of client - same occurs with a Polycom 501, X-Lite, sflphone and twinkle. This does not occur when using IAX - as IAX is immune to NAT issues, despite the fact that I changed the IAX port as well in the same manner.
Searching forums and boards yielded nothing - I see nobody who ever mentioned changing the SIP port from 5060 at the router. Ultimately I had no choice but to change the internal port to match - and hence change configs of all the internal SIP clients as well. And before you ask, asterisk cannot listen on multiple ports.
Things work fine now.
- Try sequential sip usernames from 1 to 10000, hoping that the admin chose a numeric username scheme
- If asterisk returns anything but a 401, then perhaps this is a real account, add it to the list
- If anything is on the list of "possibles", then brute force their passwords
Why this works:
- Asterisk has no delay for failed logins, so a brute force attack is viable, hundreds of attempts per second are possible. Not sure what can be done about this
- The admin didn't set alwaysauthreject = yes in sip.conf. It's off by default, why??? With this enabled, there is no way to tell if a username is valid from the reject response
To deal with this:
- I changed the SIP port, externally (at NAT phase), so my new external port forwards internally to 5060
- Set the aforementioned setting to true
- Locked down source IPs permitted externally
- Added nagios alerts for specific log file entries (asterisk full log)
These changes were relatively non-invasive, however there is an issue: Any external sip clients that should still be able to make calls from outside the local LAN now see the following:
WARNING: chan_sip.c:1950 retrans_pkt: Maximum retries exceeded on transmission for seqno 2 (Critical Response) WARNING: chan_sip.c:1972 retrans_pkt: Hanging up call - no reply to our critical packet.
and the audio drops after 20 seconds. In fact, asterisk drops the call, but the SIP client doesn't notice and keeps going. This is not specific to any type of client - same occurs with a Polycom 501, X-Lite, sflphone and twinkle. This does not occur when using IAX - as IAX is immune to NAT issues, despite the fact that I changed the IAX port as well in the same manner.
Searching forums and boards yielded nothing - I see nobody who ever mentioned changing the SIP port from 5060 at the router. Ultimately I had no choice but to change the internal port to match - and hence change configs of all the internal SIP clients as well. And before you ask, asterisk cannot listen on multiple ports.
Things work fine now.
Did you ever find a fix for this problem? I'm having the same issue with dropped calls, but I'm using the standard port. I've solved the script kiddie problem with fail2ban which locks out an IP address after a few failed attempts.
Mark