SIP Attacks: How to secure your NGCP with Sip:provider

Voice over IP system can be vulnerable to SIP attacks that have a negative impact on the uptime.

Sipwise Sip:provider mr3.5.1 allows you to protect your Voice over IP (VoIP) system against SIP attacks, in particular, Denial of Service and Brute-Force attacks.

Let’s go through each of these attacks and let´s see how to configure your system in order to face such situations and react against them.

We are going see, as well, how increase your security and how it´s easy to integrate fail2ban with your NGCP system, in order to ban attackers IPs.

Denial of Service

As soon as you have packets arriving on your NGCP server, it will require a bit of time of your CPU. Denial of Service is one of the SIP attacks that is aimed to break down your system by sending floods of SIP messages in a very short period of time and keep your system busy to handle such huge amount of requests.

NGCP allow you to block such kind of attack quite easily, by configuring the following section in your /etc/ngcp-config/config.yml:

security:
   dos_ban_enable: 'yes'
   dos_ban_time: 3600
   dos_reqs_density_per_unit: 50
   dos_sampling_time_unit: 2

Basically, as soon as NGCP receives more than 50 messages from the same IP in a time window of 2 seconds, that IP will be blocked for 3600 sec, and you will see in the kamailio-lb.log a line saying:

Nov 9 00:11:53 sp1 lb[41958]: WARNING: <script>: IP '1.2.3.4' is blocked and banned - R=<null> ID=304153-3624477113-19168@tedadg.testlab.local

The banned IP will be stored in Kamailio memory, you can check the list via the web interface or via the following command:

# ngcp-kamctl lb fifo sht_dump ipban

Bruteforcing SIP credentials

This is a very common attack you can easily detect checking your /var/log/ngcp/kamailio-proxy.log. You will see INVITE/REGISTER messages coming in with a strange username. Attackers are trying to spoof/guess subscriber´s credentials, which allow them to call out. The very first protection against these SIP attacks is : use STRONG passwords. Always.

Nevertheless, NGCP allows you to detect and block such attacks quite easily, by configuring the following /etc/ngcp-config/config.yml section :

  failed_auth_attempts: 3
  failed_auth_ban_enable: 'yes'
  failed_auth_ban_time: 3600

You may increase the number of failed attempt if you want (in same cases it´s better to be safe, some users can be banned accidentally because they are not writing the right password) and adjust the ban time. If a user try to authenticate an INVITE (or REGISTER) for example and it fails more than three times, the “user@domain” (not the IP as for Denial of Service attack) will be blocked for 3600 seconds.
In this case, you will see in your kamailio-lb.log the following lines:

Nov 9 13:31:56 sp1 lb[41952]: WARNING: <script>: Consecutive Authentication Failure for 'dgrotti@mydomain.com' UA='Linphone' IP='192.168.0.3' - R=<null> ID=313793-3624525116-589163@testlab.local

Both the banned IPs and banned users are shown in the Admin web interface, you can check them by accessing the “Security Bans” section in the main menu.

You can check the banned user as well by retrieving the same info directly from Kamailio memory, using the following commands:

# ngcp-kamctl lb fifo sht_dump auth

Additionally, you can check the UA value from the log line, and decide to add that User Agent to your User Agent blacklist (see “Blocking User Agent” paragraph).

Increasing your security

Let’s see now how to increase your NGCP security by adding an additional security check and how to integrate that with Fail2ban.

The malicious attacker usually uses well-known tools (e.g. sipvicious) and well-known User Agents. An additional level of security would be blocking IPs based on the SIP User Agent, let’s see the step to implement that into you NGCP and how to integrate this with fail2ban.

Blocking User Agent

In order to mitigate these SIP attacks and malicious users based on SIP UA you need to patch your Kamailio configuration. If you want to block his IP you have to install and configure fail2ban.

Let’s start to create our customtt file:

cp /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.tt2 /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.customtt.tt2

open you /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.customtt.tt2 file and add the following lines:

route
{
...

if(!sanity_check(“1511”, “7”))
{
xlog(“L_WARN”, “Malformed SIP message detected – [% logreq_init -%]n”);
exit;
}

## filtering by UA : blacklist
if( is_method(“REGISTER|INVITE”) && ($ua =~ “friendly-scanner” || $ua =~ “sipvicious” || $ua =~ “^sipcli.+”) )
{
            xlog(“L_WARN”, “Request rejected, malicious UA=’$ua’ from IP=$si – [% logreq_init -%]n”);
            exit;
}

after that run “ngcpcfg apply”.

Now NGCP will discard all the requests coming from those malicious UAs.

But you want more! You want to block their IPs using NGCP firewall. To do that let’s see how to install and configure fail2ban to work with your NGCP.

Integrating fail2ban with NGCP

Just install the debian package, configuration directory will be in /etc/fail2ban:

# apt-get update
# apt-get install fail2ban

We need to modify the following file /etc/fail2ban/jail.conf. We can add IP that the system should ignore, like 127.0.0.1 and other IPs (if you have peerings for example):

##General section
ignoreip = 127.0.0.1 SOME OTHER NGCP IPS

Also, we need to add to the bottom of the file the [kamailio-iptable] section:

[kamailio-iptables]
enabled = true
filter = kamailio
action = iptables-allports[name=KAMAILIO, protocol=all]
logpath = /var/log/ngcp/kamailio-lb.log
maxretry = 1
bantime = 3600

Then we need to create the filter, just creating the file /etc/fail2ban/filter.d/kamailio.conf :

[Definition] 
# filter for kamailio messages
failregex = Request rejected, malicious UA='.*' from IP='<HOST>'

In this way as soon as fail2ban will fetch that line in kamailio-lb.log, it will put the IP in iptables and block it for 1 hour.

You may decide to ban IP instead of user in case of failed authentication. This is quite easy, just change your kamailio.conf filter into:

[Definition]
# filter for kamailio messages
failregex = Request rejected, malicious UA='.*' from IP='<HOST>
            Consecutive Authentication Failure for '.*' UA='.*' IP='<HOST>'

Also, you should adjust your config.yml configuration, in order to ban the user just a few seconds:

failed_auth_attempts: 3
failed_auth_ban_enable: 'yes'
failed_auth_ban_time: 1

then run:

# ngcpcfp-apply
# /etc/init.d/fail2ban restart

In this way, after 3 attempts, the IP and not the user will be banned for 3600 seconds by fail2ban.
To apply the changes to fail2ban just restart the daemon:

# /etc/init.d/fail2ban restart

You can check what’s going on in /var/log/fail2ban.log (in this example ban time was 10sec):

2014-11-06 10:01:45,203 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-11-06 10:01:45,206 fail2ban.jail : INFO Creating new jail 'ssh'
2014-11-06 10:01:45,206 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-11-06 10:01:45,238 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-11-06 10:01:45,240 fail2ban.filter : INFO Set maxRetry = 6
2014-11-06 10:01:45,242 fail2ban.filter : INFO Set findtime = 600
2014-11-06 10:01:45,244 fail2ban.actions: INFO Set banTime = 600
2014-11-06 10:01:45,333 fail2ban.jail : INFO Creating new jail 'kamailio-iptables'
2014-11-06 10:01:45,333 fail2ban.jail : INFO Jail 'kamailio-iptables' uses poller
2014-11-06 10:01:45,338 fail2ban.filter : INFO Added logfile = /var/log/ngcp/kamailio-lb.log
2014-11-06 10:01:45,340 fail2ban.filter : INFO Set maxRetry = 1
2014-11-06 10:01:45,342 fail2ban.filter : INFO Set findtime = 600
2014-11-06 10:01:45,343 fail2ban.actions: INFO Set banTime = 10
2014-11-06 10:01:45,370 fail2ban.jail : INFO Jail 'ssh' started
2014-11-06 10:01:45,406 fail2ban.jail : INFO Jail 'kamailio-iptables' started
2014-11-06 10:01:46,489 fail2ban.actions: WARNING [kamailio-iptables] Ban 1.1.2.12
2014-11-06 10:01:56,562 fail2ban.actions: WARNING [kamailio-iptables] Unban 1.1.2.12

We are working to include fail2ban in the next upcoming NGCP version.