On Mon, Sep 20, 2010 at 2:19 PM, Jay Hennigan <jay at west.net> wrote: [snip]
In most cases SIP transactions are UDP, hence trivially spoofed. ?An attacker can generate failed registration/authentication attempts spoofed from your customer or peer IPs. ?Fail2ban will then lock out your legitimate traffic. [snip]
It is probably trivial to recognize a brute force attack from a single IP, as these are most prevalent, and we at least have not heard of other possible attacks such as spoofed SIP to trigger firewalls. That may become more of an issue later, if fail2ban installations become popular, or become a default included by some vendor. It might be useful to think about possible deprecation of the use of UDP for registration, or at least the requiring of a firm bidirectional acknowledgement with nonce (as in an authenticated request/acknowledgement), before a registration "attempt" can be regarded to fail or succeed. An attacker may spoof the source IP of single packet UDP registration requests for an entirely different reason -- a blast/scatter attack. In this scenario, an attacker may blast from 1000 source addresses, 900 of those could be spoofed third party innocent IPs. It wouldnn't be trivial to determine which IP address belongs to the attacker. It is still a a brute force attack, but you don't know which IP's the real attacker. All fake source IPs may appear to send similar number of requests as the real sources, in a similar pattern. Distribution pattern can conceal which nodes are the "true source" addresses, while the vast majority of the addresses are fake (truly originating from a few malicious nodes). How do you reliably build a blacklist, if the source of communication can be arbitrarily forged by an adversary, and you cannot detect that? Someone might spoof one of your source IPs for the sole purpose of attempting to get you blacklisted. It may be a bit paranoid to expect this will happen often, but it should be anticipated. There needs to be a way to determine if the IP is spoofed or not, within the protocol itself, before you can have a truly reliable blacklist, without possibly a lot of noise and false listings. -- -J