[VOIPSEC] Attacks in the wild: brute force password hacking
dwing at cisco.com
Wed May 24 08:56:59 BST 2006
John, thanks for your detailed description of the attack you have been
> A more complete solution has been discussed which would involve a
> dampening system that would slow replies (or ignore requests) for
> any authentication methods for individual presentities based on
> frequency of requests for that presentity or frequency of requests
> from that originating host. Are there comments on the usefulness or
> validity of such a dampening system? Has anyone deployed such a
> system already, and could you speak to the results of such a method?
DenyHosts <http://denyhosts.sourceforge.net> can monitor failed ssh
authorization attempts and deny access from IP addresses that exceed
certain thresholds. It is pretty effective at its job.
A *similar* technique would undoubtedly be valuable to handle the
attacks you're seeing.
A complexity with SIP, however, is that an attacker might be behind a
SIP proxy that also has legitimate users. So if you block simply by
IP address -- like DenyHosts -- you would block all traffic from that
SIP proxy, including the legitimate users. If none of the legitimate
users registering with you on port 5060 is expected to share a proxy
with an attacker, this isn't a problem for you and blocking based on
IP address is enough.
More information about the Voipsec