SIP scanning attacks – FreePBX – Allow Anonymous

Over the weekend I’ve seen a large increase in attempted SIP attacks. These are not targeted specifically at SysAdminMan servers, but large blocks of IP addresses are being scanned.

What scans have been looking for in this case are (in relation to FreePBX/Elastix/Trixbox etc) servers that have “Allow Anonymous Inbound SIP Calls?” set to “Yes”. This can be found on the “General Settings” tab of FreePBX.

allow_anonymous_SIP_inbound

This is sometimes switched on to allow inbound calls to your server directly to a SIP URI, maybe from a DDI/DID provider. It means that a trunk does not need to be set up to accept these calls.

However, it means that Asterisk will answer a call when a SIP INVITE is received from anywhere. Once the call has been answered the attacker can send more SIP messages, attempting to compromise the server.

I saw several machines that had the audio of the answered call ‘re-invited’ to a ‘victim’ machine, basically causing a DDOS attack on that machine.

Asterisk answers the call only for a few seconds to tell the caller that the number they tried to connect to is not valid, however the attacker was making hundreds of attempts a minute causing a high load on the server.

The important bit – what should you do?

If you need to have “Allow Anonymous Inbound SIP Calls?” set to “Yes” then you should create an Inbound Route with the “DID Number” and “CallerID Number” left as blank and set the destination to “Terminate Call/HangUp”.

This will create an “any/any” inbound route that will drop all calls immediately that you have not set up a specific Inbound Route for.

Alternatively you can set “Allow Anonymous Inbound SIP Calls?” set to “No” in the General Settings page, but you should ensure that your inbound DDI/DID numbers work correctly after doing this.

3 thoughts on “SIP scanning attacks – FreePBX – Allow Anonymous

  1. matt Post author

    Thanks for the tip Geert. Probably a little complex for most to set up, but could be useful to some people. Cheers, Matt.

  2. Colinh

    Thanks Matt – All done. I did this a while ago, but it’s a good idear to keep us on our toes – Thanks – Colin.

Comments are closed.