[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Tue Aug 31 01:30:33 CDT 2010

On Mon, 30 Aug 2010, J. Oquendo wrote:

> Gordon Henderson wrote:
>> On Mon, 30 Aug 2010, J. Oquendo wrote:
>>
>> I also posted a very effective iptables script some weeks ago if you care
>> to search the archives. It works and is extremely effective in blocking
>> these types of attacks - however, it will not stop a broken sipvicious
>> from continuing to send data to your server, and that's the issue I have
>> at present.
>
> Alright, so I'm slightly confused maybe I'm reading this wrong...
>
> Someone using an older version of sipvicious was blocked and the
> "blocking" of the traffic still carried a load?

Yes. It's UDP, they just keep on sending.

> If so then you should have logged into your router and simply sinkholed
> him. There is nothing you can do against a flood whether or not its
> sipvicious or any other program. It's the "golf ball through the water
> hose" effect.
>
> Did you try:
>
> 1) sinkholing from your router

Yes. works fine until they can send faster than the router/incoming line 
can handle the load. With a good VPS host you can trivially max-out a 
typical UK ADSL line.

> 2) Contacting your upstream to inform them of the DoS to see if they'd
> sinkhole it

Yes.

My (ADSL) upstream will not block inbound floods like this. They have a 
financial incentive not to - they get paid for the data the allow into 
their network and through to you.

I only know of one UK broadband ISP that will actively block inbound 
traffic for you and they're technically superb, but that comes with a 
price which is more than your average small business is wiling to pay. 
None of the others I know and have used will block an inbound flood of 
anything for you.

My main hosting upstream will only block such attacks when it has a 
detrimental effect on their network (and then they're very good at it) - 
last time my hosted servers got hit, they soaked up just over 30GB from a 
single VPS site in France in a 12-hour period.

> 3) Contact the UPSTREAM of the attacking host?

Yes. No reply. And in the few times I've tried, I've only ever had a reply 
from Amazon - some 18 hours after the flood started and then it took 
another 12 hours for them to stop it (well documented here in the archives 
by myself and others)

The reality is that most bulk VPS providers just don't care, or you've got 
to go through layes of their own (semi-automated) protocol to get anywhere 
(cf. Amazon)

Basically if you have to pay for inbound traffic in any shape or form 
(monthly cap, daily limit, etc.) then you're fucked when this happens.

That's why the author of Sipvicious added svcrash.py to his set of 
scripts.

Gordon