Module for detecting brute-force attacks and user search attack on Session Initiation Protocol. It analyses SIP response traffic and is capable of detecting distributed brute-force attacks and username scans.
This module checks status codes of SIP servers and looks for "401 Unauthorized" responses to Register requests. Once the count of these responses for a certain user name exceeds a threshold, alert is generated.
This module has two output interfaces. Alert of an attack is generated once it is considered as ceased. That means after a period of time since the last received attack message. This period can be set with parameter -f. When a breach is detected, IP address of the breached server is sent via the second output interface and can be used by TimeMachine. This is useful for collecting data which might be used as a proof of the attack.
The alert itself is in UniRec format. It contains vital information about the attack:
- SBFD_EVENT_ID (uint64): unique number for this alert
- SBFD_EVENT_TYPE (uint8): type of alert (0 - simple brute-force, 1 - distributed brute-force, 2 - user scan)
- SBFD_TARGET (ipaddr): IP address of the targeted server
- SBFD_SOURCE (ipaddr): IP address of the attacker
- SBFD_USER (string): name of targeted user (can be empty in case of user scan alert)
- SBFD_LINK_BIT_FIELD (uint64): indicator of the particular monitoring probe
- SBFD_PROTOCOL (uint8): protocol used to perform the attack (TCP or UDP)
- SBFD_EVENT_TIME (time): time of first attack message received
- SBFD_CEASE_TIME (time): time of last attack message received
- SBFD_BREACH_TIME (time): time of breach occurrence (can be 0 if the breach did not occur)
- SBFD_ATTEMPTS (uint32): total count of attack messages received
- SBFD_AVG_ATTEMPTS (uint32): average count of attack messages received; in case of scan, shows how many attack messages were sent to each username; in case of distributed brute-force, shows how many messages were sent by each attacker
This module is implemented on TRAP platform, so it receives data on TRAP input interface in UniRec format.
UniRec fields required:
- DST_IP (ipaddr): destination IP address of the flow
- SRC_IP (ipaddr): source IP address of the flow
- LINK_BIT_FIELD (uint64): indicator of the particular monitoring probe
- PROTOCOL (uint8): protocol used (TCP, UDP...)
- TIME_FIRST (time): time of the message capture
- SIP_MSG_TYPE (uint16): SIP message type (see flow_meter documentation)
- SIP_STATUS_CODE (uint16): SIP status code (see flow_meter documentation)
- SIP_CSEQ (string): 'Cseq' part of a SIP header
- SIP_CALLING_PARTY (string): 'From' part of a SIP header
All of UniRec fields mentioned above can be obtained from module flow_meter when launched with SIP plugin. (-p sip)
Since this module uses TRAP, input and output interfaces need to be specified.
Usage:
./sip_bf_detector -i <trap_interfaces> <Additional parameters>
Additional parameters:
-a <num> Number of unsuccessful authentication
attempts to consider this behaviour as
an attack (50 by default).
-c <num> Number of seconds between the checks on
ceased attacks (300 by default).
-d <num> Number of clients attempting to connect to a specific user (on one particular server)
which is considered a distributed brute-force attack. (25 by default)
-f <num> Number of seconds after the last action to
consider attack as ceased (1800 by default).
-o <num> Number of observed OK responses after crossing alert threshold
to consider the alert false and drop the communication. (5 by default)
-s <num> Number of extensions a specific client attempted to register as
(on one particular server) which is considered a scan. (5 by default)
Example:
./sip_bf_detector -i "u:voip_data_source,t:12009,t:12321" -a 50 -c 300 -f 1800
The example of use of this module above receives data in UniRec format on TRAP unix socket interface and uses TRAP tcp interfaces to send alerts on port 12009, while alerting TimeMachine on port 12321.
Additional parameters ensure that:
-
50 unsuccessful authentication attempts are considered as an attack (-a 50)
-
every 300 seconds (5 minutes) all ongoing attacks are checked whether they ceased or not (-c 300)
-
during every check, an attack is considered ceased if the last attack message was received more than 1800 seconds (30 minutes) from the currently processed message (-f 1800)
No special compilation parameters are needed. For linking add -ltrap -lunirec -lnemea-common (the module must be compiled as a part of NEMEA repository or using installed libtrap-devel and unirec packages).
Doxygen documentation can be generated with make doc command.