[VOIPSEC] Attacks in the wild: brute force password hacking
Hendrik Scholz
hscholz at raisdorf.net
Mon May 29 09:27:43 CDT 2006
Hi Dan!
Dan Wing wrote:
> DenyHosts <http://denyhosts.sourceforge.net> can monitor failed ssh
> authorization attempts and deny access from IP addresses that exceed
> certain thresholds. It is pretty effective at its job.
>
> A *similar* technique would undoubtedly be valuable to handle the
> attacks you're seeing.
Both OpenSER and Iptel SER have a module named PIKE [0] which allows
blocking of incoming requests based on thresholds.
Obviously it's fault-prone in dialup-environments and may lead to
blocking off legitimate users as you wrote.
We've added Retry-After support to UACs and UASs to keep the
traffic down. Repeated incoming requests are thus most likely to
come either from attackers (or devices that don't support Retry-After).
Simply graphing the ratio between REGISTER and various responses
aides in graphically identifing attacks.
Cheers,
Hendrik
0: http://openser.org/docs/modules/1.0.x/pike.html
--
Hendrik Scholz - <hscholz at raisdorf.net> - http://www.wormulon.net/
drag me, drop me - treat me like an object
More information about the Voipsec
mailing list