Tuesday, June 22, 2010

How to crash SIPVicious - introducing svcrash.py

A new tool has been added to SIPVicious - svcrash.py. As the name implies, it crashes something - svwar.py and svcrack.py. This tool is meant to be used by system administrators and organizations that are receiving unauthorized scans on their exposed IP PBX.

Quick links: Download the latest version :: Watch a short demo of svcrash.py

Since this is a little different from the usual, I'll provide a bit of background first.


If you had been following the Asterisk or VoIP provider blogs and forums, you might have noticed people complaining about bandwidth saturation due to SIP scans. Some people had been using Amazon EC2 based servers to look for SIP servers such as Asterisk, which have weak passwords. As a result of these scans, organizations were getting a considerable amount of bandwidth used - leading to denial of service (DoS). Why did this happen?
  • The attackers were using huge lists of extensions / passwords in their scans, (apparently) sometimes using the --force option in svwar.py
  • Even if blacklisted, old versions of svwar.py and svcrack.py keep sending messages because they are stateless
  • Originally, Amazon's abuse team did not respond to these attacks in a timely fashion
  • The victim providers had less bandwidth than Amazon's cloud
This meant that just like other denial of service attacks, dropping the packets at the victim host (eg. using iptables) is not enough.

So what's new?

1 - Updated SIPVicious to care more...

A few weeks ago I released a new version of SIPVicious (v0.2.5) which has a timeout for svwar.py and svcrack.py. If either of these tools receives no response then it stops scanning. The reason why they receive no response could be that an intrusion prevention system blocked the scanning IP, thus making it useless to keep on scanning anyway.

I urge everyone to update to the latest version (v0.2.6).

2. Create a small basic tool that breaks the attack:
A more aggressive approach is to make use of svcrash.py. What this tool does is abuse an unhandled exception when decoding the information from the "To" tag. This causes both svwar and svcrack to crash, thus stopping an attack. This tool is included in v0.2.6, which also includes a fix for this bug.

How to run svcrash.py

Mode 1: python svcrash.py -d attackerip -p attackerport
This would send one message which causes the attack to stop. You would need to find out the IP address and the attacker port from your PBX log files or by taking a look at Wireshark or tcpdump during the attack.

Mode 2: sudo python svcrash.py --auto
This would make use of scapy (i.e. you need to have scapy v2 installed) to monitor the traffic and respond automatically every 2 seconds. This automates the whole thing so that one can leave it running to block the next attack.

Mode 3: sudo python svcrash.py --astlog=/var/log/asterisk/full
Makes use of the Asterisk log file as a source of information. This option is still experimental as it does quite a bit of guessing. Needs more testing. For production use, the --auto mode is probably safer.

If you have any questions about svcrash, check out the FAQ, and do not forget the SIPVicious FAQ too. Feel free to contact me [email protected].


Anonymous said...

Love the update, I'm going try and convince one of our programmers to add in Freeswitch log checking.

Assuming it isn't already in there.

sandro said...

Freeswitch log - that would be great. Make sure that you get the source port and ideally, the user-agent or some other indication. Right now I think the best solution is the scapy / sniffing solution

Klaus said...

Don't you think that attackers can edit python code to remove the timeout and handle the exception?

sandro said...

@Klaus: yes, and I answered that question here:

From the faq:
The logic: flooding VoIP providers doesn't do anyone good (granted that the attackers want free phone calls). Therefore the timeout added in SIPVicious version 0.2.5 is actually beneficial for both the victims and the attackers.

New version has the bug fixed.

Oh, and as I explain the FAQ, I don't expect this to be a solution. It helps mitigate but not solve the problem of bandwidth saturation.

Contact me if you think the FAQ doesn't cover all these issues ;-)

Adrian Bridgett said...

A big thanks for svcrash - worked a treat today after the useless cretins at softlayer have done nothing (three emails, a tweet, a phonecall and three days later).