[asterisk-dev] auto blacklisting "script kiddies"

Andrew Kohlsmith akohlsmith-asterisk at benshaw.com
Thu Apr 26 07:25:28 MST 2007


On Thursday 26 April 2007 10:08 am, Steve Kennedy wrote:
> Would it not be a good idea if Asterisk would auto-blacklist single IP
> addresses that attempted multiple SIP or other registrations.
>
> The attacks I've seen seem to be scripted and aren't particularly
> clever, so an auto back-off system or just lock from that IP address
> after a particular number of registration attempts. This could be
> specified as a config variable (as in number of attempts before lock).
>
> Locked IP's could then be manually unlocked, or unlocked after a time
> period (or in combination, locked wait some time, unlock and if more
> attempts continue, lock for a longer time period etc).
>
> This isn't going to defeat any kind of serious attack, but would deter
> the script kiddies out there. It also potentially wont work for ITSPs
> etc, but for smaller installs it could be just the solution?

Not a bad idea, but if you're running on Linux you can already do this through 
your iptables firewall, and probably through a proxy such as SER.  Personally 
I think this is by and large an item for the firewall, not the application.  

Having said that, however, I do think that Asterisk should have some kind of 
DoS protection mechanism in place which would stop responding to IPs which 
hammer it or who have failed 'x' registration/call attempts in the last 'y' 
seconds.

-A.


More information about the asterisk-dev mailing list