[asterisk-users] being bombarded with SIP packets

Norbert Zawodsky norbert at zawodsky.at
Thu Oct 28 05:41:24 CDT 2010


  Am 28.10.2010 12:14, schrieb Per Jessen:
> Ishfaq Malik wrote:
>
>> On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:
>>> Over the last two weeks, we have had at least two "incidents" where
>>> our asterisk server got flooded (a hundred or more per second) by SIP
>>> packets.  Once from 114.31.50.10, second time from 173.212.200.146.
>>> We became aware of the problem when bandwidth started suffering
>>> because asterisk got very busy sending back replies or rejects (dunno
>>> which, I didn't investigate it any further).
>>> The immediate issues were dealt with by having the firewall drop
>>> those packets, but I was wondering:
>>>
>>> 1) if anyone has seen the same problem, and
>>> 2) if you've got some iptables rules for limiting inbound SIP by
>>> rate? (or some such).
>>>
>>>
>>> thanks
>>> Per Jessen, Zürich
>> Was it legitimate requests or a brute force attack? If it was a brute
>> force attack have you considered using fail2ban?
> It appears to be brute force, but I haven't bothered to investigate any
> further.  fail2ban is at best a kludge IMHO, and I don't like anything
> (automatically or otherwise) modifying my firewall.  Like Nortbert
> suggested, I'll check the archives to see what others have done.
>
>
> /Per Jessen, Zürich
>
Per,

(didn't want to be unfriendly to you !!!!!)

As you say, "you don't like anything to modify your firewal". My words !

Someone (don't remember who & when) on this list showed me a very clever 
trick (=iptables rule) to drop the packets if too many of them arrive 
within a given period of time. Works really great !!!!!

Do not exatly remember how it was done (and I don't have access to that 
machine at the moment to have a look).
I remeber something like
    first using iptables module "string" to inspect the packet if it 
contains the string "REGISTER sip:"
    and then use an iptables "hash bucket" with a limit of x/second

If this limit is exeeded, send the packet to nirvana (= DROP, or if you 
like LOG & DROP, or if you like LOG the 1st & DROP all .....)

Norbert




More information about the asterisk-users mailing list