[asterisk-users] being bombarded with SIP packets

Gordon Henderson gordon+asterisk at drogon.net
Thu Oct 28 05:59:56 CDT 2010


On Thu, 28 Oct 2010, Norbert Zawodsky wrote:

>  Am 28.10.2010 12:14, schrieb Per Jessen:
>> Ishfaq Malik wrote:
>>
>>> On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:
>>>> Over the last two weeks, we have had at least two "incidents" where
>>>> our asterisk server got flooded (a hundred or more per second) by SIP
>>>> packets.  Once from 114.31.50.10, second time from 173.212.200.146.
>>>> We became aware of the problem when bandwidth started suffering
>>>> because asterisk got very busy sending back replies or rejects (dunno
>>>> which, I didn't investigate it any further).
>>>> The immediate issues were dealt with by having the firewall drop
>>>> those packets, but I was wondering:
>>>>
>>>> 1) if anyone has seen the same problem, and

This is not new - just Read The Fine Archives. Been going on for years. 
You're not the first, not the last.

Google for sipvicious.

>>>> 2) if you've got some iptables rules for limiting inbound SIP by
>>>> rate? (or some such).
>>>>
>>>>
>>>> thanks
>>>> Per Jessen, Zürich
>>> Was it legitimate requests or a brute force attack? If it was a brute
>>> force attack have you considered using fail2ban?
>> It appears to be brute force, but I haven't bothered to investigate any
>> further.  fail2ban is at best a kludge IMHO, and I don't like anything
>> (automatically or otherwise) modifying my firewall.  Like Nortbert
>> suggested, I'll check the archives to see what others have done.
>>
>>
>> /Per Jessen, Zürich
>>
> Per,
>
> (didn't want to be unfriendly to you !!!!!)
>
> As you say, "you don't like anything to modify your firewal". My words !
>
> Someone (don't remember who & when) on this list showed me a very clever
> trick (=iptables rule) to drop the packets if too many of them arrive
> within a given period of time. Works really great !!!!!

Possibly me - I did post something - you might want to look at

   http://unicorn.drogon.net/firewall2

An issue I've found with this is that is that while it works to protect 
your asterisk box, it does take up a considerable amount of CPU/kernel 
time to process - so running on embedded hardware isn't a good idea.

There are other things you need to do to - but do get the sipvicious 
source code - it has a crash program in it - however I'm finding that this 
works less and less now because the criminals who're trying to steal your 
VoIP minutes have upgraded - however the upgrade is a little nicer when 
you firewall it out.

And do make sure you have

   alwaysauthreject=yes

in the [general] section of sip.conf. Most of the time that will protect 
you as the criminals will do a single pass to try to identify accounts 
that are valid, then find none, then move on.

Sometimes they don't though and use the 'force' option in sipvicious. Then 
youy're SOL....

Gordon


More information about the asterisk-users mailing list