So, how do we start?

First step: We will no longer use the words SIP, Brute, Force, and Attack. =)

What we’re talking about is a scheme to make expensive calls through your phone system. Of course, this isn’t true for all scenarios, but the vast majority simply want to make expensive calls on your dime.

How does it work?

The bad guys trick your phone system into thinking they are a valid user.

How can they do that?

When phones connect to your phone system, the system replies with different messages. Based on those messages, the bad guys can figure out phone names. Think of your phone system as the receptionist. An attempt might be similar to…

Bad Guy: “Hi, is Alice there?”
Receptionist: “No, there is no Alice here. You have the wrong number.”
Bad Guy: “Hi, is Bob there?”
Receptionist: “Yes, who may I say is calling?”

Basically, there’s a different response based on if that person exists in the company. Same thing with the phones. Once the Bad Guys find out phone names, they then use their computers to crack the phone password.

Once the password is detected, they connect their phone to your system and begin making calls.

What can I do to stop this?

If the person in charge of your phone system doesn’t understand what this attack is, you need to hire a consultant to help you and/or train your administrator. If you or your administrator understand this attack, then you need to make sure you are following the best practices for SIP security (here’s a good link for asterisk best practices).

If you’re running asterisk, you might wish to install a script that checks for attacks and blocks those connections.

Even better… consider Kamailio.

Kamailio (pronounced KAMA-ILLY-OH) is an open-source SIP proxy, registrar, application that is extremely robust and powerful. The software includes anti-flood features that really help protect your system and truly helps to minimize these annoying attacks.

Remember, the Internet is like a big city. Sure there’s great museums and entertainment, but there’s also bad, bad places filled with bad, bad people. If you’re going to leave your BMW unlocked in Hell’s Kitchen, don’t be surprised when it’s been taken around the block a few times.

Set up IP Tables

We will not be discussing the intricacies of iptables in this post. There are excellent tutorials on iptables, and with most things linux, help is only a google away. To help identify the traffic blocked as asterisk related, a new chain will be created appropriately called… asterisk.

Here’s how to add the new chain:

iptables -N asterisk
iptables -A INPUT -j asterisk
iptables -A FORWARD -j asterisk

This will help identify hosts blocked for failed registrations.

Asterisk’s Log for Failed Registrations

In most cases of a sip flood attack, the host attempts registration to Asterisk. These hosts are identified in the Asterisk log (/var/log/messages) as “No matching peer found.” The following perl script scans /var/log/messages for these patterns, strips the IP address, and puts the IP address into an array.

After the file has been read, the IP addresses are counted (each count is a failed attempt), compared against the existing blocked hosts, and new occurrences are blocked. With this script we are blocking any host after the 4th failed attempt.

Here’s the script (last updated 05 SEP 2010):

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
	if ($line =~ m/\' failed for \'(.*?)\' – Wrong password/) {
		push(@failhost,$1);
	}
}

my $blockedhosts = `/sbin/iptables -n -L asterisk`;

while ($blockedhosts =~ /(.*)/g) {
	my ($line2) = $1;
	chomp($line2);
	if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
		$currblocked{ $1 } = 'blocked';
	}
}

while (my ($key, $value) = each(%currblocked)){
	print $key . "\n";
}

if (@failhost) {
	&count_unique(@failhost);
	while (my ($ip, $count) = each(%addblocked)) {
		if (exists $currblocked{ $ip }) {
			print "$ip already blocked\n";
		} else {
			$action = `/sbin/iptables -I asterisk -s $ip -j DROP`;
			print "$ip blocked. $count attempts.\n";
		}
	}
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Schedule the script with cron

The final step is to schedule your script to run every X minutes in cron. We’ve chosen to run our script every 2 minutes, but you can change this to 1 minute or any other time period you choose. Just remember… you can receive thousands of attempts within 2 minutes.

If you have named your script check-failed-regs.pl and placed it in your /usr/local/bin directory, your cron statement would look like this:

*/2 * * * * perl /usr/local/bin/check-failed-regs.pl &> /dev/null

Questions? Comments? We love feedback. Or, contact us for more information.

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);

open (MYINPUTFILE, "/var/log/asterisk/$ARGV[0]") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
}

if (@failhost) {
	&count_unique(@failhost);
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;

	#print them out:

    map {print "$_ = ${count{$_}}\n"} sort keys(%count);

}

And while we duck from @Merlyn’s criticisms (although we love his criticism), the basic usage is:

perl [Whatever you named it].pl messages
or perl [Whatever you named it].pl messages.1

Results look like:

184.73.53.22 = 13586
64.76.45.100 = 9895
78.46.87.14 = 9960

Or “no failed registrations.” if you have no failed attempts.

Following is a list of SIP Response Codes:

Information SIP Responses – 1xx

Informational responses, indicate that the server contacted is performing some further action and does not yet have a definitive response. A server sends a 1xx response if it expects to take more than 200 ms to obtain a final response.

• 100 Trying
• 180 Ringing
• 181 Call Is Being Forwarded
• 182 Queued
• 183 Session Progress

Successful SIP Responses – 2xx

The action was successfully received, understood, and accepted.

• 200 OK
• 202 Accepted (request understood, but cannot be processed)

Redirection SIP Responses – 3xx

Further action needs to be taken in order to complete the request.

• 300 Multiple Choices
• 301 Moved Permanently
• 302 Moved Temporarily
• 305 Use Proxy
• 380 Alternative Service

Client Error SIP Responses – 4xx

The request contains bad syntax or cannot be fulfilled at the server.

• 400 Bad Request
• 401 Unauthorized (Used only by registrars or user agents. Proxies will/should use 407)
• 402 Payment Required
• 403 Forbidden
• 404 Not Found
• 405 Method Not Allowed
• 406 Not Acceptable
• 407 Proxy Authentication Required
• 408 Request Timeout
• 409 Conflict
• 410 Gone (The user is not available here but once was)
• 412 Conditional Request Failed
• 413 Request Entity Too Large
• 414 Request-URI Too Long
• 415 Unsupported Media Type
• 416 Unsupported URI Scheme
• 417 Unknown Resource-Priority
• 420 Bad Extension
• 421 Extension Required
• 422 Session Interval Too Small
• 423 Interval Too Brief
• 424 Bad Location Information
• 428 Use Identity Header
• 429 Provide Referrer Identity
• 433 Anonymity Disallowed
• 436 Bad Identity-Info
• 437 Unsupported Certificate
• 438 Invalid Identity Header
• 480 Temporarily Unavailable
• 481 Call Leg/Transaction Does Not Exist
• 482 Loop Detected
• 483 Too Many Hops
• 484 Address Incomplete
• 485 Ambiguous
• 486 Busy Here
• 487 Request Terminated
• 488 Not Acceptable Here
• 489 Bad Event
• 491 Request Pending
• 493 Undecipherable (Could not decrypt S/MIME body part)
• 494 Security Agreement Required

Server Error SIP Responses – 5xx

The server failed to fulfill an apparently valid request.

• 500 Server Internal Error
• 501 Not Implemented (SIP request method is not implemented at the server)
• 502 Bad Gateway
• 503 Service Unavailable
• 504 Server Time-out
• 505 Version Not Supported (The server does not support the version of the SIP protocol used)
• 513 Message Too Large
• 580 Precondition Failure

Global Failure SIP Responses – 6xx

The request cannot be fulfilled at any server.

• 600 Busy Everywhere
• 603 Decline
• 604 Does Not Exist Anywhere
• 606 Not Acceptable

Team Forrest offers Asterisk Consulting Services for a wide variety of VoIP, Call Center, and other Telephony Based needs. From small, family business to large Corporations, Team Forrest’s simple philosophy of “Help the Client” ensures we provide great service to meet your needs.

Asterisk Consulting

From carrier services to traditional PBX services, Team Forrest’s Asterisk Consulting Service provides you the solution you need. Services include:

• IVR Development
• Custom AGI Scripting / Programming
• OpenSER Integration
• Calling Card Systems
• Call Center / Sales Queue Development
• Call Recording (call spying, call barging, whisper, etc.)
• Database Integration (Microsoft SQL MSSQL, MySQL, Oracle, etc.)
• Custom Solutions

Emergency Asterisk Support

When a problem comes along, we provide 24/7 Emergency Support to bring your system back to life. Both new and existing clients benefit from our immediate support response.

For immediate support please contact us or call +1 (212) 937-7844.

Remote and Onsite Support

Team Forrest offers immediate remote assistance across the globe. Local, onsite service is also available, with quick response to Michigan, Florida, and New York locations.

Asterisk? Ask us.

With Team Forrest, you get professional consulting at a great price — increased productivity at a lower cost. To see how Team Forrest can help improve your communication needs, contact us. We enjoy talking with clients and look forward to seeing how we can help you.

Asterisk, developed and released by Digium, Inc., is the world’s leading open source telephony engine and tool kit. Asterisk empowers communication with it’s flexibility. Whether working as a simple office telephone system, a robust Call Center platform, or anything in-between, Asterisk provides advanced features at a very low deployment cost.  Asterisk is released as open source under the GNU General Public License (GPL), and it is available for download free of charge. Asterisk is the most popular open source software available, with the Asterisk Community being the top influencer in VoIP.

Description: When configured with pedantic=yes the SIP channel driver performs extra request URI checking on an INVITE received as a result of a SIP spiral. As part of this extra checking the headers from the outgoing SIP INVITE sent and the received SIP INVITE are compared. The code incorrectly assumes that the string for each header passed in will be non-NULL in all cases. This is incorrect because if no headers are present the value passed in will be NULL.

The values passed into the code are now checked to be non-NULL before being compared.

Resolution: Upgrade to revision 174082 of the 1.4 branch, 174085 of the 1.6.0 branch, 174086 of the 1.6.1 branch, or one of the releases noted below.

The pedantic option in the SIP channel driver can also be turned off to prevent this issue from occurring.

Affected Versions

1.4.x (Versions 1.4.22, 1.4.23, 1.4.23.1)
1.6.0.x (All versions prior to 1.6.0.6)
1.6.1.x (All versions prior to 1.6.1.0-rc2)
C.x.x (Only version C.2.3)

If you need assistance in updating or reviewing your Asterisk installation, please contact Team Forrest today.

UPDATE April 4, 2009 — Frank (user comment) let us know that AnyWho had changed their website. As a result the code has been updated. Thanks Frank!

UPDATE November 18, 2009 — Robert (user comment) let us know of another change. As a result the code has been updated. Thanks Robert!

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
$|=1;

my ($cidnum,$cidname,$npa,$nxx,$station,$name);

#----------------------------------------------------------------
# get asterisk initial info
#----------------------------------------------------------------

while(<STDIN>) {
	chomp;
	last unless length($_);
}

#----------------------------------------------------------------
# check if we have a caller id
#----------------------------------------------------------------

if ($ARGV[0]) {
		$cidnum = $ARGV[0];
	} else {
		print qq(VERBOSE "ERROR: no callerid provided" 2\n);
		exit(0);
}

#----------------------------------------------------------------
# check caller id and split into npa, nxx, and station
#----------------------------------------------------------------

if(substr($cidnum,0,1) eq '1'){
	$cidnum=substr($cidnum,1);
}

if(substr($cidnum,0,2) eq '+1'){
	$cidnum=substr($cidnum,2);
}

if ($cidnum =~ /^(\d{3})(\d{3})(\d{4})$/) {
		$npa = $1;
		$nxx = $2;
		$station = $3;
	} elsif ($cidnum =~/\<(\d{3})(\d{3})(\d{4})\>/) {
		$npa = $1;
		$nxx = $2;
		$station = $3;
	} else {
		print qq(VERBOSE "ERROR: unable to parse caller id" 2\n);
		exit(0);
}

print qq(VERBOSE "STATUS: CID is $npa-$nxx-$station" 2\n);

#----------------------------------------------------------------
# check npa, nxx, and station for cid name
# 1 = check. 0 = skip.
#----------------------------------------------------------------

my $AnyWho = '1' ;
my $Google = '1' ;
my $www411 = '1' ;

if ($AnyWho > '0') {
		print qq(VERBOSE "STATUS: checking AnyWho for name lookup" 2\n);
		if ($name = &anywho_lookup ($npa, $nxx, $station)) {
				$cidname = $name;
				print qq(SET VARIABLE CALLERID\(name\) "$cidname"\n);
				print qq(VERBOSE "STATUS: AnyWho said name was $cidname " 2\n);
				exit(0);
			} else {
				print qq(VERBOSE "STATUS: unable to find name with AnyWho" 2\n);
		}
	} else {
		print qq(VERBOSE "STATUS: AnyWho lookup disabled" 2\n);
}

if ($Google > '0') {
		print qq(VERBOSE "STATUS: checking Google for name lookup" 2\n);
		if ($name = &google_lookup ($npa, $nxx, $station)) {
				$cidname = $name;
				print qq(SET VARIABLE CALLERID\(name\) "$cidname"\n);
				print qq(VERBOSE "STATUS: Google said name was $cidname " 2\n);
				exit(0);
			} else {
				print qq(VERBOSE "STATUS: unable to find name with Google" 2\n);
		}
	} else {
		print qq(VERBOSE "STATUS: Google lookup disabled" 2\n);
}

if ($www411 > '0') {
		print qq(VERBOSE "STATUS: checking www411 for name lookup" 2\n);
		if ($name = &www411_lookup ($npa, $nxx, $station)) {
				$cidname = $name;
				print qq(SET VARIABLE CALLERID\(name\) "$cidname"\n);
				print qq(VERBOSE "STATUS: www411 said name was $cidname " 2\n);
				exit(0);
			} else {
				print qq(VERBOSE "STATUS: unable to find name with www411" 2\n);
		}
	} else {
		print qq(VERBOSE "STATUS: www411 lookup disabled" 2\n);
}

#----------------------------------------------------------------
# return results and exit
#----------------------------------------------------------------

print qq(SET VARIABLE CALLERID\(name\) "$cidnum"\n);
print qq(VERBOSE "STATUS: Unknown name for $cidnum " 2\n);
exit(0);

#----------------------------------------------------------------
# parse anywho
# http://whitepages.anywho.com/results.php?qnpa=$npa&qnpanxx=$npa$nxx&qnxx=$nxx&qp=$nxx$station&qstation=$station
# Find More Information for First Last</a>
#----------------------------------------------------------------

sub anywho_lookup {
	my ($npa, $nxx, $station) = @_;
	my $ua = LWP::UserAgent->new( timeout => 45);
	my $URL = 'http://whitepages.anywho.com/results.php';
	$URL .= qq(?qnpa=$npa&qnpanxx=$npa$nxx&qnxx=$nxx&qp=$nxx$station&qstation=$station);
	$ua->agent('AsteriskAGIQuery/1');
	my $req = new HTTP::Request GET => $URL;
	my $res = $ua->request($req);
	if ($res->is_success()) {
		if ($res->content =~ /Find More Information for (.*)<\/a>/) {
			my $clidname = $1;
			return $clidname;
		}
	}
	return "";
}

#----------------------------------------------------------------
# parse google
# http://www.google.com/search?rls=en&q=phonebook:$npa$nxx$station
# <td>First Name<td>(<b>$npa
#----------------------------------------------------------------

sub google_lookup {
	my ($npa, $nxx, $station) = @_;
	my $ua = LWP::UserAgent->new( timeout => 45);
	my $URL = qq(http://www.google.com/search?rls=en&q=phonebook:$npa$nxx$station&ie=UTF-8&oe=UTF-8);
	$ua->agent('AsteriskAGIQuery/1');
	my $req = new HTTP::Request GET => $URL;
	my $res = $ua->request($req);
	if ($res->is_success()) {
		if ($res->content =~ /<td>(.+)<td>\(<b>$npa/) {
			my $clidname = $1;
			return $clidname;
		}
	}
	return "";
}

#----------------------------------------------------------------
# parse 411
# http://www.411.com/search/Reverse_Phone?phone=$npa$nxx$station
# View map, driving directions, and more">Name</a>
#----------------------------------------------------------------

sub www411_lookup {
	my ($npa, $nxx, $station) = @_;
	my $ua = LWP::UserAgent->new( timeout => 45);
	my $URL = qq(http://www.411.com/search/Reverse_Phone?phone=$npa$nxx$station);
	$ua->agent('AsteriskAGIQuery/1');
	my $req = new HTTP::Request GET => $URL;
	my $res = $ua->request($req);
	if ($res->is_success()) {
		if ($res->content =~ /View map, driving directions, and more\">(.*)<\/a>/) {
			my $clidname = $1;
			if ($clidname eq "Listing Detail") {
				if ($res->content =~ /Type: <strong>(.*)<\/strong>/) {
					$clidname = $1;
					if ($res->content =~ /Location: <strong>(.*)<\/strong>/) {
						$clidname = $clidname . " $1";
					}
				}
			}
			return $clidname;
		}
	}
	return "";
}

This perl script will work well as an AGI script — checking AnyWho, Google, and then 411 for a caller’s name or location. If all else fails, the callerid name is set as the callerid number.

The perl script was designed to only use the Internet with minimal installation; so it will work without a database, Perl Asterisk module, or locally hosted NPA / NXX (phone number to region) file.

Team Forrest recommends using a subroutine context to get the callerid when needed; calling the script with either a GoSub or GosubIf command, such as:

exten => s,n,Gosub(cidname-lookup,s,1)
exten => s,n,dial(${PHONE},30,t)
...

...
[cidname-lookup]
exten => s,1,NoOp(looking up callerid name)
exten => s,n,GotoIf($["foo${CALLERID(NAME)}" = "foo" ]?getname)
exten => s,n,GotoIf($["${CALLERID(NAME)}" = "${CALLERID(NUM)}" ]?getname)
exten => s,n,NoOp(caller id name exists as ${CALLERID(NAME)})
exten => s,n,Return
exten => s,n(getname),AGI(calleridname.pl,${CALLERID(NUM)})
exten => s,n,NoOp(Caller ID Name is now ${CALLERID(NAME)})
exten => s,n,Return

Enjoy the file (download here) and remember, Team Forrest is here to assist you will all of your Asterisk, VoIP, or technical needs.

The VoIP Users Conference gathers weekly on Fridays to discuss all things VoIP. Free, and open to the public, participants can listen live or download archived recordings.

There are three main ways to access the live conference:

1. via SIP directly
2. via HiDef SIP directly
3. via PSTN (see below for the number)
4. via the Talkshoe client

VoIP Users Conference via SIP

Recently, several participants experienced difficulties in connecting to the conference using SIP. The issue dealt with DTMF recognition and prevented the participant from entering the conference number and pin.

Thanks to the power of SIP, this problem can be circumvented using a SIP Header. Adding the SIP Header of Subject: <passcode>22622</passcode><pin>YOURPIN</pin> will bypass the DTMF needs and enter you into the conference automatically.

Using Asterisk, a SIP Header can easily be added to your dialplan. For example, if you wanted to dial *10 to reach the VoIP Users Conference, you would modify your extensions.conf to contain something like:

exten => *10,1,NoOp(VoIP Users Conference Fridays at 12pm EST. Replace YOURPIN with your talkshoe pin)
exten => *10,n,SIPAddHeader(Subject: <passcode>22622</passcode><pin>YOURPIN</pin>)
exten => *10,n,Dial(SIP/talkshoe@vuc.onsip.com)

VoIP Users Conference via Hi Def SIP

If you have an HD Voice / Wideband capable phone, you can connect directly to the conference using g722 at the following SIP URI:

• sip:200901@login.zipdx.com

So, in Asterisk’s extensions.conf, it may look something like this:

exten => *11,1,NoOp(VoIP Users Conference Fridays at 12pm EST. g722 connection)
exten => *11,n,Dial(SIP/200901@login.zipdx.com)

REMEMBER! To use the wideband (g722) bridge, you need a wideband capable phone.

PSTN, Talkshoe, and Web

The VoIP Users Conference meets every Friday at 12pm Eastern Standard Time. More information can be found by following these links:

• VoIP Users Conference
• Talkshoe
• PSTN –> Dial (724) 444-7444 and enter 22622# 1#

VoIP Insider is a blog from VoIP Supply.  VoIP Supply carries a variety of VoIP hardware, including Polycom SIP phones, Asterisk hardware, and pretty much any VoIP capable phone.