Fortigate router, and security attacks

Fortigate router, and security attacks

shimi linux-il at shimi.net
Tue Oct 23 19:52:50 IST 2012


On Tue, Oct 23, 2012 at 7:40 PM, ik <idokan at gmail.com> wrote:

> >
> > If so - are you sure they're _attacking_ you? Absolutely positive that
> what
> > you're seeing is NOT returning packets for packets that have originated
> from
> > YOUR network? (could be internal computers with malware...)
>
> I see the automated scanners in the log, trying to do stuff,  but they
> are very narrow cans for specific tasks of specific servers.
> For example attempting to connect to SIP extensions on Asterisk and try to
> dial.
>
>
I can only answer to the scenario's you're giving. So I'll have to start
with SIP.

SIP as a protocol has a feature that allows you to re-route the RTP stream
over the fly between different endpoints.

Common case I can think of:

* Your Asterisk box is connecting to an external SIP termination service;
* Your Asterisk has canreinvite=1 for endpoints.
* You start a call to a number that belongs on the SIP termination service
trunk
* The call is answered
* If the endpoint can reach the Internet, there's really no point in
sending all the RTP traffic through Asterisk (unless it's doing MeetMe
conferencing, IVR et al...)
* SIP renegotiates the streams to go directly from your endpoint to the
media gateway on the other side
* Your firewall is SIP aware, reads the traffic, allows RTP to 'punch a
hole through the firewall' - even though you have no specific rule. (search
for SIP ALG (=Application Level Gateway) in your FW settings)
* The RTP stream could look like an attack attempt of "UDP traffic at a
random high port number"...

Makes any sense?

-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20121023/2b25867e/attachment.html>


More information about the Linux-il mailing list