the myIT blog

Mitigating a DOS or DDOS attack on SIP – Part 2, Automation

After reviewing several good targeted blocking methods for "bad behavior"; meth0ds including fail2ban,  denyhosts,  block countries,  and others. I have determined the best approach for our customer sites is "Snort", especially if you are already running pfSense!

For users of pfSense, this is a simple install (System>Packages>snort, ADD).

It is probably pretty clear to say SNORT is a very full featured package. I have my own "oinkcode" which allows the basic rules (they also have a paid ruleset) to download to the system, and you can shoose what type of emerging threat(s) to protect yourself against.

"It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients."

I add the Snort Dashboard widget from within pfsense to get alerts when I login to pfSense's portal.  If you decide to try this, I'd suggest getting an "oinkcode", which will allow you to download basic rules and signatures for free. If Snort is new to you, it might be a good idea to read the documentation on Snort's website, and peruse the pfSense forum.

If I get enough feedback I will consider a quick tutorial on a snort how-to for sipx behind pfsense, but it is straightforward enough in the snort interface/servers area to adjust the ssl ports to include 8443 for the sipx web user interface if you have that opened and to make sure that the categories pfsense-voip.rules and snort-voip.rules have been activated at a minimum to protect yourself against SIP attacks.

While I have another project that is ongoing that allows blocking by certain user-agents (i.e., sipvicious), it has become clear in the past few weeks that these type of attacks are transforming and now say "AsteriskPBX", which means a better IDS system is needed. Fail2ban uses iptables, but pfSense can do all of this with Snort (and more). I find the logging simpler and easier to read from the dashboard widget too. Unfortunately the newer attacks become stateless and harder to stop. The first of  article (part 1) is the best first step, because it really minimizes your exposure quite quickly.

I also plan to implement the BLOCK IP package in pfSense using with a cron job to automatically refresh the block list data. Right now I convert the IP list to the danguardian2 format and fetch it from my servers at