[asterisk-users] SIP flood attacK
Paul Hayes
paul at provu.co.uk
Tue Oct 5 11:26:57 CDT 2010
On 03/10/10 21:19, Greg Saunders wrote:
> Hello all. I was recently the victim of a SIP flood attack. I'm
> wondering what is the best method to prevent such things in the future.
> Many thanks
> Greg
>
do one of the following:
- use deny & permit lines in sip.conf &/or iax.conf to restrict any
remote Registrations from known IP address ranges only. Or use iptables
rules to do something similar.
- use a log scanning tool such as fail2ban or ossec which can react on
multiple registration fails and block ip addresses in iptables
- enforce strict password policy on all users on the system
I think simply relying on alwaysauthreject is very dangerous as it's
only a matter of time before the attackers catch on to this and carry on
attacking regardless. Sure there's less chance of them getting a
correct username/secret combination but in the meantime, the register
attempts are practically a DoS attack. Plus that setting further breaks
the SIP RFC.
I also think that assuming that the attackers will eventually get in one
way or another is wise. So put in place appropriate measures to limit
the damage they can do (daily spend limits with SIP providers, blocking
international and/or premium rate numbers etc...).
cheers,
Paul.
More information about the asterisk-users
mailing list