Ishfaq Malik wrote: > On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote: >> Over the last two weeks, we have had at least two "incidents" where >> our asterisk server got flooded (a hundred or more per second) by SIP >> packets. Once from 114.31.50.10, second time from 173.212.200.146. >> We became aware of the problem when bandwidth started suffering >> because asterisk got very busy sending back replies or rejects (dunno >> which, I didn't investigate it any further). >> The immediate issues were dealt with by having the firewall drop >> those packets, but I was wondering: >> >> 1) if anyone has seen the same problem, and >> 2) if you've got some iptables rules for limiting inbound SIP by >> rate? (or some such). >> >> >> thanks >> Per Jessen, Zürich > > Was it legitimate requests or a brute force attack? If it was a brute > force attack have you considered using fail2ban?
It appears to be brute force, but I haven't bothered to investigate any further. fail2ban is at best a kludge IMHO, and I don't like anything (automatically or otherwise) modifying my firewall. Like Nortbert suggested, I'll check the archives to see what others have done. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
