[asterisk-users] being bombarded with SIP packets
Per Jessen
per at computer.org
Thu Oct 28 05:14:22 CDT 2010
Ishfaq Malik wrote:
> On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:
>> Over the last two weeks, we have had at least two "incidents" where
>> our asterisk server got flooded (a hundred or more per second) by SIP
>> packets. Once from 114.31.50.10, second time from 173.212.200.146.
>> We became aware of the problem when bandwidth started suffering
>> because asterisk got very busy sending back replies or rejects (dunno
>> which, I didn't investigate it any further).
>> The immediate issues were dealt with by having the firewall drop
>> those packets, but I was wondering:
>>
>> 1) if anyone has seen the same problem, and
>> 2) if you've got some iptables rules for limiting inbound SIP by
>> rate? (or some such).
>>
>>
>> thanks
>> Per Jessen, Zürich
>
> Was it legitimate requests or a brute force attack? If it was a brute
> force attack have you considered using fail2ban?
It appears to be brute force, but I haven't bothered to investigate any
further. fail2ban is at best a kludge IMHO, and I don't like anything
(automatically or otherwise) modifying my firewall. Like Nortbert
suggested, I'll check the archives to see what others have done.
/Per Jessen, Zürich
--
http://www.spamchek.com/ - your spam is our business.
More information about the asterisk-users
mailing list