Quick links: Download the latest version :: Watch a short demo of svcrash.py
Since this is a little different from the usual, I'll provide a bit of background first.
If you had been following the Asterisk or VoIP provider blogs and forums, you might have noticed people complaining about bandwidth saturation due to SIP scans. Some people had been using Amazon EC2 based servers to look for SIP servers such as Asterisk, which have weak passwords. As a result of these scans, organizations were getting a considerable amount of bandwidth used - leading to denial of service (DoS). Why did this happen?
- The attackers were using huge lists of extensions / passwords in their scans, (apparently) sometimes using the --force option in svwar.py
- Even if blacklisted, old versions of svwar.py and svcrack.py keep sending messages because they are stateless
- Originally, Amazon's abuse team did not respond to these attacks in a timely fashion
- The victim providers had less bandwidth than Amazon's cloud
So what's new?
1 - Updated SIPVicious to care more...
A few weeks ago I released a new version of SIPVicious (v0.2.5) which has a timeout for svwar.py and svcrack.py. If either of these tools receives no response then it stops scanning. The reason why they receive no response could be that an intrusion prevention system blocked the scanning IP, thus making it useless to keep on scanning anyway.
I urge everyone to update to the latest version (v0.2.6).
2. Create a small basic tool that breaks the attack:
A more aggressive approach is to make use of svcrash.py. What this tool does is abuse an unhandled exception when decoding the information from the "To" tag. This causes both svwar and svcrack to crash, thus stopping an attack. This tool is included in v0.2.6, which also includes a fix for this bug.
How to run svcrash.py
Mode 1: python svcrash.py -d attackerip -p attackerport
This would send one message which causes the attack to stop. You would need to find out the IP address and the attacker port from your PBX log files or by taking a look at Wireshark or tcpdump during the attack.
Mode 2: sudo python svcrash.py --auto
This would make use of scapy (i.e. you need to have scapy v2 installed) to monitor the traffic and respond automatically every 2 seconds. This automates the whole thing so that one can leave it running to block the next attack.
Mode 3: sudo python svcrash.py --astlog=/var/log/asterisk/full
Makes use of the Asterisk log file as a source of information. This option is still experimental as it does quite a bit of guessing. Needs more testing. For production use, the --auto mode is probably safer.
If you have any questions about svcrash, check out the FAQ, and do not forget the SIPVicious FAQ too. Feel free to contact me firstname.lastname@example.org.