My Voice-over-IP to analog gate is fully visible on the net, because I like it if people with working SIP phones can directly call me without going through any commercial provider at all.

That's all fine and well, except when folks start hammering my systems with sipvicious/friendly-scanner: the damn thing doesn't wait and listen for responses but rather blasts out gazillions of (doomed) REGISTER or OPTIONS messages.

Here's my fix for this annoyance: if an inbound SIP message looks like REGISTER or OPTIONS, drop it. I don't run any VOIP server, so nobody is supposed to register with me, ever.

That's actually pretty straightforward to achieve with iptables: iptables -A INPUT -p udp --dport 5060 ! -f -m u32 --u32 "0>>22&0x3C@8=0x52454749,0x4f505449" -j DROP

The u32 match module is low-level but really efficient and precise, and this cryptic instance will simply look for REGI or OPTI at the beginning of the UDP packet payload. The iptables string match isn't as flexible, and could quite easily wrongly match the words in the body of the request (and SIP responses are pretty verbose and full of echoes...).

[ published on Wed 26.09.2012 23:55 | filed in interests/anti | ]
Debian Silver Server
© Alexander Zangerl