dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
175
OZO
Premium Member
join:2003-01-17

OZO to Davesnothere

Premium Member

to Davesnothere

Re: DDoS Attacks, Is Any VoIPP Less Susceptable ?

One more thing to add here:

I think susceptibility to DDoS attacks depends on the software used and overall design structure deployed.

From small personal experience of running FreeSWITCH under DDoS I may assure you that FS is not prepared for reacting on DDoS at all. When I pointed that out to FS developers, I was faced back with arrogance - "it's your problem, not ours. Use system provided protection mechanisms if you need to do the job". But I think they're dead wrong. FS can easily recognize the beginning of the attack by a simple analysis of the SIP incoming traffic... Example? Common SIP clients don't try to send REGISTER requests with 50 different names changed alphabetically within 1 sec. There are obvious patterns of attacks, that SIP server could recognize almost immediately and stop responding to them, ... if they are designed with that problem in mind. In my case, FS tried to reply to all requests and eventually put the whole server down after depleting its system memory during several hours of hard (and completely unnecessary) work.

Which SIP server is used by CallCentric? I hope it's not FreeSWITCH.
How are they prepared to that event and what do they particularly do to mitigate that?
tanzam75
join:2012-07-19

tanzam75

Member

said by OZO:

When I pointed that out to FS developers, I was faced back with arrogance - "it's your problem, not ours. Use system provided protection mechanisms if you need to do the job". But I think they're dead wrong. FS can easily recognize the beginning of the attack by a simple analysis of the SIP incoming traffic...

Your suggestion sounds like the approach that 3cx takes:
quote:
»www.3cx.com/blog/voip-ar ··· -attack/

3CX Premium Partner, Charles Ambrosecchia of Sigma Networks, reports that their Network Operations Center was the subject of an intense attack from an IP Address inside Germany for 17 continuous hours, with data rates peaking at over 5Mbps to a single 3CX Phone System installation.

Charles stated that 3CX Phone System performed admirably by rejecting the initial attempts at registration with incorrect forged credentials (essentially a brute force attack). Shortly thereafter, 3CX Phone System automatically classified the source of the attack as a potentially malignant entity and added it to its dynamic blacklist.

3cx is a commercial company. So they have a direct monetary incentive to solve their users' practical problems, rather than to be arrogant about it and treat it as an abstract problem.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thanks for sharing that example. It just shows that some development teams want to improve their product, while others have obvious attitude problems, that makes them blind to any suggestions... The latter I saw a lot with FreeSWITCH development. They keep old bugs opened indefinitely without any attempt to fix... not to mention implementing new functions, that will benefit everyone.

Security of the SIP switch (always opened to public access) is very serious issue to ignore...

So, I'd suggest, look at SIP messages sent by your VSP and particularly at its "User-Agent" line and if it says "FreeSWITCH" don't be surprised if at some point of time it will go down and you'll not have any service at all due to some DDoS attack... (which could happen at any time, BTW).

pquesinb
join:2009-04-20
Severn, MD

pquesinb to OZO

Member

to OZO
said by OZO:

One more thing to add here:

I think susceptibility to DDoS attacks depends on the software used and overall design structure deployed.

From small personal experience of running FreeSWITCH under DDoS I may assure you that FS is not prepared for reacting on DDoS at all. When I pointed that out to FS developers, I was faced back with arrogance - "it's your problem, not ours. Use system provided protection mechanisms if you need to do the job"...

Fail2Ban is a good way of mitigating such attacks w/FS but I have to agree with you overall. I'm really excited about the potential of FreeSWITCH but it's getting harder and harder to get help on their forum with even relatively simple issues or questions about things which are documented poorly, or not at all. I'm seeing more and more folks with seemingly worthwhile questions just being ignored, especially when it relates to functionality that would be relatively easy to implement and extremely helpful to many but that the developers just don't feel like adding in. Your experience seems to confirm that observation.

Of course one must also keep in mind that these are volunteers and we're not paying them to work on the free software they're providing. Still, decent documentation doesn't really seem like too much to ask if they're truly serious about the project... especially if they don't want to answer questions about it.

Getting back to the issue of DDoS attacks, when the scanners like SipVicious or botnets, etc. are making registration attempts, do most of the SIP servers like FS close the network connection on an unsuccessful attempt (send an RST, etc.), forcing the scanner to open a new connection with each attempt or are they able to just keep scanning without re-opening the connection each time?

If the servers dump the connection on each failed attempt, that would make it much easier to deal with the attack from the firewall side, by implementing rate limiting and blacklisting after so many failed attempts per second, minute, etc.

- Phil
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by pquesinb:

Fail2Ban is a good way of mitigating such attacks w/FS

Not if you use FS on Windows platform (like e.g. I do).

Of course one must also keep in mind that these are volunteers and we're not paying them to work on the free software they're providing. Still, decent documentation doesn't really seem like too much to ask if they're truly serious about the project... especially if they don't want to answer questions about it.

I've seen many, many free projects that don't exhibit that problem. This case is a big exception in my experience though... And I completely agree with you. Any common sense dictates that if you don't want to answer simple questions coming again and again form different people (many could be new to this project) - make simple answers in help pages and don't be rude, when you see someone try to ask it nevertheless... We all are people, you know...

Getting back to the issue of DDoS attacks, when the scanners like SipVicious or botnets, etc. are making registration attempts, do most of the SIP servers like FS close the network connection on an unsuccessful attempt (send an RST, etc.), forcing the scanner to open a new connection with each attempt or are they able to just keep scanning without re-opening the connection each time?

Usually SIP communications are made using UTP (connectionless protocol). But in any case, it's obvious if the same host tries to register many different users during a limited time, it should signal an attack. Stop responding for a couple of minutes. If then it tries do to the same - just block it and log the offending host for further investigation... It's very simple, but nevertheless extremely effective approach.

If the servers dump the connection on each failed attempt, that would make it much easier to deal with the attack from the firewall side, by implementing rate limiting and blacklisting after so many failed attempts per second, minute, etc.

Agree with you. The only problem here, developers should realize that it is security problem and not point on users - "it's your problem, not ours..." and ignore it all.

Trimline
Premium Member
join:2004-10-24
Windermere, FL

Trimline

Premium Member

said by OZO:

said by pquesinb:

Fail2Ban is a good way of mitigating such attacks w/FS

Not if you use FS on Windows platform (like e.g. I do).

I use, and recommend Bee Think IP blocker on Windows. You can create your white list and sleep soundly. This really works well. More info here : »www.beethink.com/

pquesinb
join:2009-04-20
Severn, MD

pquesinb

Member

said by Trimline:

said by OZO:

said by pquesinb:

Fail2Ban is a good way of mitigating such attacks w/FS

Not if you use FS on Windows platform (like e.g. I do).

I use, and recommend Bee Think IP blocker on Windows. You can create your white list and sleep soundly. This really works well. More info here : »www.beethink.com/

Hadn't heard of that one but it sounds good. Peerguardian 2 and PeerBlock are FOSS IP-blocking programs.

- Phil

VexorgTR
join:2012-08-27
Sheffield Lake, OH

VexorgTR

Member

I wonder if the name BeeThink has anything to do with the Honeypot concept for server security.