Over the weekend I’ve seen a large increase in attempted SIP attacks. These are not targeted specifically at SysAdminMan servers, but large blocks of IP addresses are being scanned.
What scans have been looking for in this case are (in relation to FreePBX/Elastix/Trixbox etc) servers that have “Allow Anonymous Inbound SIP Calls?” set to “Yes”. This can be found on the “General Settings” tab of FreePBX.
This is sometimes switched on to allow inbound calls to your server directly to a SIP URI, maybe from a DDI/DID provider. It means that a trunk does not need to be set up to accept these calls.
However, it means that Asterisk will answer a call when a SIP INVITE is received from anywhere. Once the call has been answered the attacker can send more SIP messages, attempting to compromise the server.
I saw several machines that had the audio of the answered call ‘re-invited’ to a ‘victim’ machine, basically causing a DDOS attack on that machine.
Asterisk answers the call only for a few seconds to tell the caller that the number they tried to connect to is not valid, however the attacker was making hundreds of attempts a minute causing a high load on the server.
The important bit – what should you do?
If you need to have “Allow Anonymous Inbound SIP Calls?” set to “Yes” then you should create an Inbound Route with the “DID Number” and “CallerID Number” left as blank and set the destination to “Terminate Call/HangUp”.
This will create an “any/any” inbound route that will drop all calls immediately that you have not set up a specific Inbound Route for.
Alternatively you can set “Allow Anonymous Inbound SIP Calls?” set to “No” in the General Settings page, but you should ensure that your inbound DDI/DID numbers work correctly after doing this.