[asterisk-users] Asterisk runs at 100% CPU

Warren Selby wcselby at selbytech.com
Wed Nov 17 01:16:32 CST 2010


Sounds like your box has been compromised. Check the running processes and lock down remote ssh access to your server. 

Thanks,
--Warren Selby, dCAP

On Nov 17, 2010, at 12:53 AM, Patrick <asterisk-users at ict-synergy.be> wrote:

> I also forgot to add that my bandwidth is highly used (mostly out
> traffic) since I've detected the "attack"
> 
> 
> 
> On Wed, Nov 17, 2010 at 06:46, Patrick <asterisk-users at ict-synergy.be> wrote:
>> Dear asterisk users,
>> 
>> A few weeks ago I've been attacked by a DOS on REGISTER that I've
>> solved with a fail2ban script.
>> Now, since a few hours, I have my asterisk 1.4.21.2 running at 100% CPU again.
>> 
>> I've checked the log and it shows nothing related to failed register
>> or whatever. It just tells me that some of my peers are lagged, even
>> with a verbosity of 10000
>> 
>> I've made a "SIP SHOW CHANNELS" and I've a very strange thing, I got
>> between 4000 and 5000 active channels from peer 127.0.0.1. I have no
>> sip phone on localhost. Here is an excerpt of my command
>> 
>> Peer             User/ANR    Call ID      Seq (Tx/Rx)  Format
>>  Hold     Last Message
>> 127.0.0.1        (None)      385677377    00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      1623666249   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      1478349241   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      1830524844   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      1688182896   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      1391124899   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      2692644729   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      2043438815   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      3226298375   00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 127.0.0.1        (None)      170429466    00101/00001  0x0 (nothing)
>>  No       Rx: REGISTER
>> 
>> It is not a configuration issue causing loops because my config has
>> not changed since months.
>> 
>> Any help is appreciated
>> 
>> Best regards,
>> Patrick
>> 
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list