[asterisk-users] Flood of REGISTERs - attack?

Tom Stordy-Allison tom at stordy-allison.com
Mon Apr 12 18:27:54 CDT 2010


-----Original Message-----
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Fred Posner
Sent: 12 April 2010 21:57
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Flood of REGISTERs - attack?

On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote:

> I'm currently receiving over 200 SIP REGISTER requests per second from 
> a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it.
> This has continued for several days, and abuse at staff.aruba.it are 
> unresponsive. I've had a couple of similar incidents recently, the 
> others originating from uk2.net.
> 
> ...snip...
> Has anyone else experienced this? Is this intended as a DOS attack, or 
> is it a dictionary attack? Or something else? What is the best 
> strategy for dealing with it?
> 
> For now I have started rate limiting SIP connections to Asterisk, but 
> what is a reasonable rate for each host to be allowed? This is a small 
> SOHO installation.
> 
> Thanks
> 
> Chris

This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/

---fred
http://qxork.com

-----------------

Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the "User-Agent: friendly-scanner" too.

Looks like they are branching out....

Go with Joshua Steins blog post - it worked perfect for me and got it off my back.

Cheers,

Tom
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list