[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

J. Oquendo asterisk at tormenting.net
Mon Aug 30 15:53:00 CDT 2010


Gordon Henderson wrote:
> On Mon, 30 Aug 2010, J. Oquendo wrote:
>
>
>   
> I also posted a very effective iptables script some weeks ago if you care 
> to search the archives. It works and is extremely effective in blocking 
> these types of attacks - however, it will not stop a broken sipvicious 
> from continuing to send data to your server, and that's the issue I have 
> at present.
>   

Alright, so I'm slightly confused maybe I'm reading this wrong...

Someone using an older version of sipvicious was blocked and the
"blocking" of the traffic still carried a load?

If so then you should have logged into your router and simply sinkholed
him. There is nothing you can do against a flood whether or not its
sipvicious or any other program. It's the "golf ball through the water
hose" effect.

Did you try:

1) sinkholing from your router
2) Contacting your upstream to inform them of the DoS to see if they'd
sinkhole it
3) Contact the UPSTREAM of the attacking host?

+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
| hostid                                   | start_date | start_time |
stop_date  | stop_time | attacker        | attempts |
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 07:54:02   |
2010-08-25 | 07:55:54  | 38.99.168.133   | 16022    |

8K attempts in a minute. There were times last month I'd see upwards of
40-60k per minute WHILE I played around with some of these guys in a
separate Asterisk based honeypot I created. So my confusion: "it will
not stop a broken sipvicious from continuing to send data to your
server" Even CURRENT versions of sipvicious won't stop sending data just
because you firewalled them out.

There is a pattern that many don't see unless your constantly monitoring
and watching what's going on with your logs/devices. What I see
firsthand is, there are "bruteforcers" and there are the "toll
fraudsters." Since this is a public list, I care not to discuss findings
for obvious reasons however, for those interested in that information,
feel free to send me a "non-free-mail" (meaning no Gmail, no Hotmail,
etc) message. If I get around to seeing I should share this information,
I'd gladly do so... Otherwise I won't disclose anything about honeypots,
analysis, traffic patterns, etc. Its already surprising I posted
attacker information on the forum. ;) I see all sorts of attackers,
attack vectors, numbers dialed, etc., from many of these attackers.
You'd be surprised how STUPID some are and how SMART others are.

As for your comment though, its confusing to me because if you blocked
them and they're still overwhelming you, sounds like a) you need more
bandwidth because you're on a slow connection (I'm on a DS3) or b)
server is misconfigured. On Linux tc can be your friend


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E




More information about the asterisk-users mailing list