#606 Buffer Overflow Attack? DoS Attack?

core (110)

OpenSIPs 1.8.1 on CentOS 5.8 64bit

Everything worked fine until an attack started. No one was able to register or communicate and on log I can only see the following

Feb 2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:core:parse_cseq: expecting CSeq EoL
Feb 2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:core:parse_cseq: bad cseq
Feb 2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:core:get_hdr_field: bad cseq
Feb 2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:maxfwd:is_maxfwd_present: parsing MAX_FORWARD header failed!
Feb 2 15:29:31 sip03 /usr/sbin/opensips[20497]: ERROR:uri:check_username: Call {www,proxy}_authorize before calling check_* functions!
Feb 2 15:29:40 sip03 /usr/sbin/opensips[20486]: ERROR:uri:check_username: No authorized credentials found (error in scripts)
Feb 2 15:29:40 sip03 /usr/sbin/opensips[20492]: ERROR:uri:check_username: No authorized credentials found (error in scripts)
Feb 2 15:31:26 sip03 /usr/sbin/opensips[20499]: ERROR:core:parse_uri: bad char '@' in state 5 parsed: <sip:tine@dm> (11) / <sip:tine@dm@x.x.x.x> (25)F

And then a registration request

Feb 2 15:31:29 sip03 /usr/sbin/opensips[20502]: ERROR:core:parse_msg: message=<REGISTER sip:tilman hausherr@x.x.x.x SIP/2.0^M Via: SIP/2.0/UDP;branch=z9hG4bK-3045379966;rport^M Content-Length: 0^M From: "tilman hausherr"<sip:tilman hausherr@>; tag=74696c6d616e2068617573686572720133393033393337393433^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "tilman hausherr"<sip:tilman hausherr@x.x.x.x>^M Contact: sip:tilman hausherr@x.x.x.x^M CSeq: 1 REGISTER^M Call-ID: 660108110^M Max-Forwards: 70^M ^M >

Alot of errors and again an other Registration Request

Feb 2 15:33:08 sip03 /usr/sbin/opensips[20495]: ERROR:core:parse_msg: message=<REGISTER sip:u don't know@x.x.x.x SIP/2.0^M Via: SIP/2.0/UDP;branch=z9hG4bK-2954121837;rport^M Content-Length: 0^M From: "u don't know"<sip:u don't know@x.x.x.x>; tag=7520646f6e2774206b6e6f7701383037303536343636^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "u don't know"<sip:u don't know@x.x.x.x>^M Contact: sip:u don't know@x.x.x.x^M CSeq: 1 REGISTER^M Call-ID: 3997264461^M Max-Forwards: 70^M ^M >

Is that a problem/bug in core? Is that a mistake on my script? In any case the result was Denial Of Service.


  • What is the frequency of these malformed SIP requests? Can you give some estimate of CPS?

    To me it does not look like a bug but rather a voip security issue. If you would post it to opensips user or develop mailing list then you would probably get a quicker answer. Don't open a bug it you are sure its a bug. It saves everybody's time.

    Thank you.

  • apsaras

    This is the first time we had malformed SIP requests. Probably the attacker had something wrong on the script. I have no measurement on CPS but from traffic shaper I see a 1Mbit traffic increase for 5 minutes.

    Probably you are right, that this is not a bug. My first impression looking the logs was that the attacker managed to successfully register by overflowing some buffer which is not true.

    I am sorry for wrong posting.

  • So Antonis, have you found the how your OpenSIPS got overloaded ?


  • apsaras

    • status: open --> closed
  • apsaras

    No. The only think I found was that the attacker tried to make outbound calls without registration sending malformed sip messages. I am not sure what he was trying to do exactly, overload the system, tried a buffer overflow or just had a faulty script. The result was to have opensips overloaded just doing parsing and throwing errors on the log.

    To protect the system I am filtering now the Agent Header and I am using the sanity check. Hope that 's enough.