Some tools overwhelm VoIP systems by sending fake authorization attempts to them without ever responding to the challenge request that is used in SIP. One popular tool is often referred to as friendly scanner or SIPvicious. These types of tools keep a system busy handling bogus requests, overloading the system, making it difficult to handle real requests, and so on. Another suspicious behavior can be detected from someone trying to make long distance or international calls repeatedly within a short time period.

FreeSWITCH provides the ability to log a warning when an attempt is made to utilize credentials in the system (recognized or not). Programs such as Fail2Ban may then be used to monitor the frequency in which this logline is produced. If the frequency hits a threshold where the traffic is suspicious, the IP address causing the traffic can be blocked for a period of time (or permanently). It is generally considered suspicious if a large number of authorization attempts occurs from the same IP address within a relatively short period of time.

To ensure that a warning is generated when FreeSWITCH receives an invalid authentication attempt, you can modify your SIP profiles and include the following setting:

<param name="log-auth-failures" value="true"/> 

A log line will be generated for authentication attempts that looks as follows:

[WARNING] SIP auth challenge (REGISTER) on sofia profile 'customer_access' for [[email protected]] from ip 184.106.157.100

These warnings will be counted automatically by Fail2Ban and when they hit a configured threshold the IP address 184.106.157.100 will be blocked.