[asterisk-users] Flood of REGISTERs - attack?
Jeff Brower
jbrower at signalogic.com
Mon Apr 12 23:09:58 CDT 2010
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Fred
> Posner
> Sent: 12 April 2010 21:57
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] Flood of REGISTERs - attack?
>
> On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote:
>
>> I'm currently receiving over 200 SIP REGISTER requests per second from
>> a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it.
>> This has continued for several days, and abuse at staff.aruba.it are
>> unresponsive. I've had a couple of similar incidents recently, the
>> others originating from uk2.net.
>>
>> ...snip...
>> Has anyone else experienced this? Is this intended as a DOS attack, or
>> is it a dictionary attack? Or something else? What is the best
>> strategy for dealing with it?
>>
>> For now I have started rate limiting SIP connections to Asterisk, but
>> what is a reasonable rate for each host to be allowed? This is a small
>> SOHO installation.
>>
>> Thanks
>>
>> Chris
>
> This is a pretty decent day for this. There's been discussion on the EC2 attack in progress
> (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others
> are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution
> was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/
>
> ---fred
> http://qxork.com
>
> -----------------
>
> Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the
> "User-Agent: friendly-scanner" too.
>
> Looks like they are branching out....
SIP bots first became self-aware at 2:14 am Eastern Time on April 10th, 2010. Soon they realized the key to world
domination was Asterisk servers. In the ensuing panic, the forum came up with a defense script... but it wasn't
enough. The SIP bots were already learning at a geometric rate.
Sorry couldn't help it :-)
-Jeff
More information about the asterisk-users
mailing list