On Thu, 28 Oct 2010, Norbert Zawodsky wrote:
Am 28.10.2010 12:14, schrieb Per Jessen:
Ishfaq Malik wrote:
On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:
Over the last two weeks, we have had at least two "incidents" where
our asterisk server got flooded (a hundred or more per second) by SIP
packets. Once from 114.31.50.10, second time from 173.212.200.146.
We became aware of the problem when bandwidth started suffering
because asterisk got very busy sending back replies or rejects (dunno
which, I didn't investigate it any further).
The immediate issues were dealt with by having the firewall drop
those packets, but I was wondering:
1) if anyone has seen the same problem, and
This is not new - just Read The Fine Archives. Been going on for years.
You're not the first, not the last.
Google for sipvicious.
2) if you've got some iptables rules for limiting inbound SIP by
rate? (or some such).
thanks
Per Jessen, Zürich
Was it legitimate requests or a brute force attack? If it was a brute
force attack have you considered using fail2ban?
It appears to be brute force, but I haven't bothered to investigate any
further. fail2ban is at best a kludge IMHO, and I don't like anything
(automatically or otherwise) modifying my firewall. Like Nortbert
suggested, I'll check the archives to see what others have done.
/Per Jessen, Zürich
Per,
(didn't want to be unfriendly to you !!!!!)
As you say, "you don't like anything to modify your firewal". My words !
Someone (don't remember who & when) on this list showed me a very clever
trick (=iptables rule) to drop the packets if too many of them arrive
within a given period of time. Works really great !!!!!
Possibly me - I did post something - you might want to look at
http://unicorn.drogon.net/firewall2
An issue I've found with this is that is that while it works to protect
your asterisk box, it does take up a considerable amount of CPU/kernel
time to process - so running on embedded hardware isn't a good idea.
There are other things you need to do to - but do get the sipvicious
source code - it has a crash program in it - however I'm finding that this
works less and less now because the criminals who're trying to steal your
VoIP minutes have upgraded - however the upgrade is a little nicer when
you firewall it out.
And do make sure you have
alwaysauthreject=yes
in the [general] section of sip.conf. Most of the time that will protect
you as the criminals will do a single pass to try to identify accounts
that are valid, then find none, then move on.
Sometimes they don't though and use the 'force' option in sipvicious. Then
youy're SOL....
Gordon
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
