nanog mailing list archives
Re: SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot
From: Gavin Henry <ghenry () suretec co uk>
Date: Fri, 26 Nov 2021 20:25:44 +0000
On Fri, 26 Nov 2021, 18:59 Max Tulyev, <maxtul () netassist ua> wrote:
Hi Gavin,
Hi Max,
I thought to do something similar ;)
What stopped you creating something? Or did you? Interested :)
As I can see in the code, you count somebody as a bad actor just because of one UDP packet is received. It is a bad idea, because it is easy to spoof that packet and make a DoS against some good actor.
The next stage is to tag these probes as passive, then reply in SIP, like you say and allow registrations and calls etc then mark them as aggressive. I'm not actually replying to the packets, so no reflection attacks.
Right way: you have to simulate a SIP dialog with this actor, i.e. reply them something and wait for the reaction. If the reaction will be like in a normal SIP call processing - congratulations, you found a hacker! If not, like you sent them a packet they do not expect - it is a DoS and a spoofed packet.
Agreed! Thank you for reading and your reply.
Current thread:
- SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot Gavin Henry (Nov 24)
- Re: SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot Eric Kuhnke (Nov 24)
- Re: SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot Max Tulyev (Nov 26)
- Re: SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot Gavin Henry (Nov 26)