[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny
gordon+asterisk at drogon.net
Tue Aug 31 01:30:33 CDT 2010
On Mon, 30 Aug 2010, J. Oquendo wrote:
> Gordon Henderson wrote:
>> On Mon, 30 Aug 2010, J. Oquendo wrote:
>> I also posted a very effective iptables script some weeks ago if you care
>> to search the archives. It works and is extremely effective in blocking
>> these types of attacks - however, it will not stop a broken sipvicious
>> from continuing to send data to your server, and that's the issue I have
>> at present.
> Alright, so I'm slightly confused maybe I'm reading this wrong...
> Someone using an older version of sipvicious was blocked and the
> "blocking" of the traffic still carried a load?
Yes. It's UDP, they just keep on sending.
> If so then you should have logged into your router and simply sinkholed
> him. There is nothing you can do against a flood whether or not its
> sipvicious or any other program. It's the "golf ball through the water
> hose" effect.
> Did you try:
> 1) sinkholing from your router
Yes. works fine until they can send faster than the router/incoming line
can handle the load. With a good VPS host you can trivially max-out a
typical UK ADSL line.
> 2) Contacting your upstream to inform them of the DoS to see if they'd
> sinkhole it
My (ADSL) upstream will not block inbound floods like this. They have a
financial incentive not to - they get paid for the data the allow into
their network and through to you.
I only know of one UK broadband ISP that will actively block inbound
traffic for you and they're technically superb, but that comes with a
price which is more than your average small business is wiling to pay.
None of the others I know and have used will block an inbound flood of
anything for you.
My main hosting upstream will only block such attacks when it has a
detrimental effect on their network (and then they're very good at it) -
last time my hosted servers got hit, they soaked up just over 30GB from a
single VPS site in France in a 12-hour period.
> 3) Contact the UPSTREAM of the attacking host?
Yes. No reply. And in the few times I've tried, I've only ever had a reply
from Amazon - some 18 hours after the flood started and then it took
another 12 hours for them to stop it (well documented here in the archives
by myself and others)
The reality is that most bulk VPS providers just don't care, or you've got
to go through layes of their own (semi-automated) protocol to get anywhere
Basically if you have to pay for inbound traffic in any shape or form
(monthly cap, daily limit, etc.) then you're fucked when this happens.
That's why the author of Sipvicious added svcrash.py to his set of
More information about the asterisk-users