Never give any SIP response to any malicious SIP request, ignore it completely. Usually such malicious attacks are done through bots (with identifiable user--agent header), which send a basic / harmless SIP request such as SIP OPTIONS and see if they get response, if they do then they proceed with sending SIP REGISTER or INVITE and start actual brute-force attack to crack the server. If on the other hand, you completely ignore them and do not respond to them then they ignore you too and move on to next target server.

if ($ua=="friendly-scanner") {
         exit;
}

Thank you.




On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti <dgrotti@sipwise.com> wrote:
Do you have some example about malicious messages ?

D.

On 11/27/2013 12:00 AM, Joli Martinez wrote:
> I have placed the code below right underneath the route portion in the
> kamailio.cfg file restarted kamailio and I am still being attacked.
>
> ####### Routing Logic ########
>
>
> # main request routing logic
>
> route{
>
>         if ($ua=="friendly-scanner") {
>                 sl_send_reply("200","OK");
>                 exit;
>         }
>
> On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti@sipwise.com
> <mailto:dgrotti@sipwise.com>> wrote:
>
>> Hi,
>> you can check the User-Agent reference $ua, if it is equal to
>> "friendly-scanner", just send back a reply with sl_send_reply("200", "OK")
>>
>> Daniel
>>
>>
>>
>> On 11/26/2013 10:53 PM, Joli Martinez wrote:
>>> How can I do this?  Is there an article I can reference or something?
>>>  I am new to kamailio and not sure how to do this.
>>>
>>> Thanks,
>>>
>>> On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas@voipembedded.com
>>> <mailto:osas@voipembedded.com>> wrote:
>>>
>>>> Google around for "friendly-scanner" to learn more about it.
>>>> In the mean time, allow the packets to be handled by kamailio and send
>>>> a 200ok back - maybe this will stop the attack.
>>>> After the attack is stopped, simply drop all "friendly-scanner" SIP
>>>> requests :)
>>>>
>>>> Regards,
>>>> Ovidiu Sas
>>>>
>>>> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021@gmail.com
>>>> <mailto:mrjoli021@gmail.com>> wrote:
>>>>> it is comming from "friendly-scanner" The other issue I have is
>>>>> that "/var/log/secure" is not getting the sip requests so the only
>>>>> way I realize it is happeing is from tcpdump.  If the secure file
>>>>> is not picking it up then iptables wont know about it.  How can I
>>>>> tell iptables to listen for sip requests?  I have already added the
>>>>> IP to the blocked IP's but he still keeps on comming.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas@voipembedded.com
>>>>> <mailto:osas@voipembedded.com>> wrote:
>>>>>
>>>>>> Most likely it's a bogus script.
>>>>>> Sometimes just sending a dummy reply, will stop the script sending
>>>>>> SIP requests.
>>>>>> Check the User-Agent header and from username to see if you can
>>>>>> identify the script and google around for it.
>>>>>>
>>>>>> Regards,
>>>>>> Ovidiu Sas
>>>>>>
>>>>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
>>>>>> <mrjoli021@gmail.com <mailto:mrjoli021@gmail.com>> wrote:
>>>>>>> I am running Kamailio in CentOS.  I ran tcpdump and noticed that
>>>>>>> we are getting attacked from IP 188.138.32.72.  I have already
>>>>>>> blocked it on IPtables, but he keeps on attacking the server.  If
>>>>>>> I look at "/var/log/secure" there are no SIP messages.  My
>>>>>>> question is where is the log file for Kamailio and how can I
>>>>>>> prevent this type of attacks in the future.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> _______________________________________________
>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>> mailing list
>>>>>>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> VoIP Embedded, Inc.
>>>>>> http://www.voipembedded.com
>>>>>>
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>> list
>>>>>> sr-users@lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>>
>>>> --
>>>> VoIP Embedded, Inc.
>>>> http://www.voipembedded.com
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users@lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users



--
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk@hotmail.com
Email: shaheryarkh@googlemail.com