[asterisk-users] being bombarded with SIP packets

Ishfaq Malik ish at pack-net.co.uk
Thu Oct 28 04:03:48 CDT 2010


On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:
> Over the last two weeks, we have had at least two "incidents" where our
> asterisk server got flooded (a hundred or more per second) by SIP
> packets.  Once from 114.31.50.10, second time from 173.212.200.146.  We
> became aware of the problem when bandwidth started suffering because
> asterisk got very busy sending back replies or rejects (dunno which, I
> didn't investigate it any further). 
> The immediate issues were dealt with by having the firewall drop those
> packets, but I was wondering:
> 
> 1) if anyone has seen the same problem, and
> 2) if you've got some iptables rules for limiting inbound SIP by rate?
> (or some such).
> 
> 
> thanks
> Per Jessen, Zürich

Was it legitimate requests or a brute force attack? If it was a brute
force attack have you considered using fail2ban?

Ish

-- 
Ishfaq Malik
Software Developer
PackNet Ltd

Office:   0161 660 3062




More information about the asterisk-users mailing list