[asterisk-users] Under heavy attack

Joel Maslak jmaslak at antelope.net
Sat Oct 30 20:33:23 CDT 2010 

No.  It seems that opening up some sort of automatic blocking could cause an attacker forging packets to block legitimate endpoints. It also seems like they won't get in with good passwords, so it isn't actually accomplishing something to worry about the script kiddies if you have good passwords.  And this blocking won't actually stop someone with a zero day attack or who is sophisticated and can attack from many IP addresses - these are the real threats for people with good passwords.

The CPU usage is trivial to deny them.  As is the bandwidth usage, if you are not sitting on a slowish broadband connection.

Sure blocking doesn't hurt, but does the help it provides exceed the downsides (effort and risk of blocking legitimate users)?  I suspect it doesn't...if you have strong passwords.  If you have weak passwords, you should fix that. 

It also seems that the only way to make blocking effective is to block everything by default except known endpoints.  Blocking the door knickers doesn't protect against a bad guy finding (not through brute force) valid credentials.

For me, monitoring outbound call volume makes a lot more sense.  I would love to see an easy to use, out of the box method to alert me if more than "x" number of erlangs* are exceeded within a five minute, sixty minute, and one day time period. For me, I would want alerting on more than 10 erlangs over five minutes, 8 over an hour, and 2 over a day. Exceeding these would likely indicate fraud for my installation.  Smaller sites would use smaller numbers, larger ones would use bigger ones.

*erlang: one erlang represents full utilization of a single call path over the monitoring period.  The monitoring period is usually one hour, but can be anything (5, 60, or 1440 minutes in this case).

On Oct 30, 2010, at 6:53 PM, C F <shmaltz at gmail.com> wrote:

> You kidding?
> 
> On Sat, Oct 30, 2010 at 3:43 PM, Joel Maslak <jmaslak at antelope.net> wrote:
>> Is there really any benefit to blocking these, if you use good passwords?
>> 
>> On Sat, Oct 30, 2010 at 1:20 PM, Warren Selby <wcselby at selbytech.com> wrote:
>>> 
>>> I'm experiencing this on one of my clients servers. The attack is
>>> ongoing.
>>> 
>>> Thanks,
>>> --Warren Selby
>>> On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria <zishanov at gmail.com> wrote:
>>> 
>>> My main asterisk server is under unusual heavy attack, and so far Fail2Ban
>>> has blocked about 30 IPs, from various different countries. At this time it
>>> is blocking about 1 IP address every few minutes.
>>> 
>>> Just wondering if anybody else is also experiencing unusually increased
>>> hack attempts today?
>>> 
>>> Zeeshan A Zakaria
>>> 
>>> --
>>> www.ilovetovoip.com
>>> www.pbxforall.com (beta)
>>> 
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>               http://www.asterisk.org/hello
>>> 
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>> 
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>               http://www.asterisk.org/hello
>>> 
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>> 
>> 
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>               http://www.asterisk.org/hello
>> 
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>> 
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list