[asterisk-users] Under heavy attack
Barry Miller
asterisk-users at notanet.net
Sat Oct 30 20:57:56 CDT 2010
On Sun, Oct 31, 2010 at 03:23:52AM +0200, Tzafrir Cohen wrote:
> On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
> > Is there really any benefit to blocking these, if you use good passwords?
>
> Regardless of any threat from those attacks succeeding, they completely
> saturated the uplink in our ADSL-connected office.
>
> What are they after, anyway? Merely cheap international calls?
I'm guessing free PSTN access. They don't want to DoS you. The scans
are an attempt to collect valid extensions for later password guessing
attempts. Every one I've seen has used svwar (from SIPVicious), which
by default will give up if it can't tell the difference between trying
to register (or invite) an unknown peer and a known one. This is why
"alwaysauthreject = yes" is so effective, even though it bends RFC3261
a bit.
But keep using fail2ban, too. "svwar.py --force" will cause it to scan
regardless of response code.
--
Barry
More information about the asterisk-users
mailing list