Constant Invite Attacks - how to defend?

Hello there,
I got Asterisk 16.8.0 with fail2ban in place, which works great for the usual authenticate attack-scheme.
When I go to asterisk -rvc console I see a lot of Invite attacks like this:

<— Transmitting SIP response (496 bytes) to UDP: —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP;rport=26032;received=;branch=z9hG4bK-524287-1—q0un46kg91c5lvrx
Call-ID: BvOMbrUDGdExxmeIGQD6kf…
From: sip:580@XX.22.XXX.622;tag=4kham4yc
To: sip:390237920793@XX.22.XXX.622;tag=z9hG4bK-524287-1—q0un46kg91c5lvrx
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1586034566/c87a37e229e2dacf5706a31857ec93c0”,opaque=“6c3777fa2ac4575c”,algorithm=md5,qop=“auth”
Server: XXX
Content-Length: 0

It does not show in the normal logs, how can I repell these attacks?

There is no single method to repel unneeded invites, but here is the one I use: An invite will produce a ‘ChallengeSent’ line in security log, like this:
[Apr 4 22:07:12] SECURITY[3935] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2020-04-04T22:07:12.775-0400”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“101”**,SessionID=“0x7fe460022080”,LocalAddress=“IPV4/UDP/”,RemoteAddress=“IPV4/UDP/”,Challenge=“4a765ad0”

So, someone wants to register as extension 101 - he is actually checking if that extension exists with ‘ChallengeSent’. You can not block ‘ChallengeSent’ transactions, as your telephones will fail to register. What I did is to have all my accounts follow a format - they look like ‘AF1234567890’ - and now I block with fail2ban anyone sending ‘ChallengeSent’, but have following in the filter:

ignoreregex =AccountID=“AF\d\d\d\d\d\d\d\d\d\d”

So, all Invites for an account not following that format get a ban, and the asterisk is quite happy.

1 Like

Genious, thanks a lot.

Reference for seekers after me:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.