[asterisk-users] Flood of REGISTERs - attack?
Chris Hastie
lists at oak-wood.co.uk
Mon Apr 12 15:50:32 CDT 2010
I'm currently receiving over 200 SIP REGISTER requests per second from a
machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it.
This has continued for several days, and abuse at staff.aruba.it are
unresponsive. I've had a couple of similar incidents recently, the
others originating from uk2.net.
I have an ADSL connection and responding to these REGISTERS was
consuming all my outbound bandwidth. I am now dropping the packets but
still some 600kbps of inbound bandwidth is consumed by this. The packets
look something like this:
REGISTER sip:62.3.200.113 SIP/2.0
Via: SIP/2.0/UDP 62.149.239.97:5086;branch=z9hG4bK-2570753370;rport
Content-Length: 0
From: "test" <sip:test at 62.3.200.113>
Accept: application/sdp
User-Agent: friendly-scanner
To: "test" <sip:test at 62.3.200.113>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3778139552
Max-Forwards: 70
I'm guessing the 'friendly-scanner' bit is sarcastic, as there is little
that is friendly about this behaviour.
Has anyone else experienced this? Is this intended as a DOS attack, or
is it a dictionary attack? Or something else? What is the best strategy
for dealing with it?
For now I have started rate limiting SIP connections to Asterisk, but
what is a reasonable rate for each host to be allowed? This is a small
SOHO installation.
Thanks
Chris
More information about the asterisk-users
mailing list