[asterisk-users] Flood of REGISTERs - attack?

[Chris Hastie]

On 13/04/10 00:27, Tom Stordy-Allison wrote:

> Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the "User-Agent: friendly-scanner" too.
> 
> Looks like they are branching out....
> 
> Go with Joshua Steins blog post - it worked perfect for me and got it off my back.
> 

Unfortunately, it hasn't worked here.

Took me ages to figure why

iptables -t nat -A PREROUTING -i ppp0 -s 62.149.239.97 -p udp --dport
5060 -j REDIRECT --to-port 5071

didn't redirect the traffic. Turns out (I think) that only new
connections are sent to the nat table, and this ones been established
for several days now. If anyone can shed light on how to reset the
connection tracking I'd be interested, but only academically now.

Instead I just stopped asterisk and ran Joshua Stein's script on 5060.
But it didn't do the trick. The bot showed no sign whatsoever of letting up.

My other line of defence is the following rate limiting in iptables. Is
this likely to interfere with actual day to day operations of Asterisk,
given a small and not very busy installation? Basically it will drop
packets if it has seen more than 20 in the last 30 seconds, or more than
10 in the last 2 seconds from the same host.

# rate limit external SIP connections to Asterisk
iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP
--rcheck --seconds 30 --hitcount 20 -m limit --limit 1/sec --limit-burst
3 -j LOG --log-prefix "Dropped (sip rate lim 1): "
iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP
--update --seconds 30 --hitcount 20 -j DROP
iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP
--rcheck --seconds 2 --hitcount 10 -m limit --limit 1/sec --limit-burst
3 -j LOG --log-prefix "Dropped (sip rate lim 2): "
iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP
--update --seconds 2 --hitcount 10 -j DROP
iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP --set