[asterisk-users] sip attacks

Bill Kenworthy billk at iinet.net.au
Sun Jul 31 19:19:06 CDT 2011


How big is the blocklist from fail2ban? - a few thousand entries and the
network stack performance degrades.

BillK


On Sun, 2011-07-31 at 19:54 -0400, C F wrote:
> How long ago was the last block from fail2ban?
> What could be is that the attacker hasn't yet realized that he has
> been blocked and is still trying, which although blocked by iptables
> it is still coming down the line for attempted connections.
> 
> On Sun, Jul 31, 2011 at 7:04 PM, Dave George <dgeorge at teletoneinc.com> wrote:
> > My asterisk server is getting bogged down every 5 minutes.  My ping time is
> > going from 60ms to 800 ms and the call quality is bad.
> >
> > I have fail2ban running and I am using iptables.  I have two ip connections
> > to the box.
> >
> > How can I tell if the poor performance is due to sip attacks?   I don't see
> > any reg attempts in my asterisk cli.  I use to get frequent attacks but
> > fail2ban seems to be taking care of that.
> >
> > See how ping time gets worst in a short space of time and server performance
> > at the time:
> >
> >
> > 64 bytes from 4.2.2.1: icmp_seq=6 ttl=55 time=87.8 ms
> > 64 bytes from 4.2.2.1: icmp_seq=7 ttl=55 time=99.8 ms
> > 64 bytes from 4.2.2.1: icmp_seq=8 ttl=55 time=107 ms
> > 64 bytes from 4.2.2.1: icmp_seq=9 ttl=55 time=115 ms
> > 64 bytes from 4.2.2.1: icmp_seq=10 ttl=55 time=120 ms
> > 64 bytes from 4.2.2.1: icmp_seq=11 ttl=55 time=122 ms
> > 64 bytes from 4.2.2.1: icmp_seq=12 ttl=55 time=123 ms
> > 64 bytes from 4.2.2.1: icmp_seq=13 ttl=55 time=126 ms
> > 64 bytes from 4.2.2.1: icmp_seq=14 ttl=55 time=122 ms
> > 64 bytes from 4.2.2.1: icmp_seq=15 ttl=55 time=142 ms
> > 64 bytes from 4.2.2.1: icmp_seq=16 ttl=55 time=142 ms
> > 64 bytes from 4.2.2.1: icmp_seq=17 ttl=55 time=137 ms
> > 64 bytes from 4.2.2.1: icmp_seq=18 ttl=55 time=186 ms
> > 64 bytes from 4.2.2.1: icmp_seq=19 ttl=55 time=255 ms
> > 64 bytes from 4.2.2.1: icmp_seq=20 ttl=55 time=310 ms
> > 64 bytes from 4.2.2.1: icmp_seq=21 ttl=55 time=387 ms
> > 64 bytes from 4.2.2.1: icmp_seq=22 ttl=55 time=445 ms
> > 64 bytes from 4.2.2.1: icmp_seq=23 ttl=55 time=514 ms
> > 64 bytes from 4.2.2.1: icmp_seq=24 ttl=55 time=583 ms
> > 64 bytes from 4.2.2.1: icmp_seq=25 ttl=55 time=650 ms
> > 64 bytes from 4.2.2.1: icmp_seq=26 ttl=55 time=715 ms
> > 64 bytes from 4.2.2.1: icmp_seq=27 ttl=55 time=783 ms
> > 64 bytes from 4.2.2.1: icmp_seq=28 ttl=55 time=821 ms
> > 64 bytes from 4.2.2.1: icmp_seq=29 ttl=55 time=810 ms
> > 64 bytes from 4.2.2.1: icmp_seq=30 ttl=55 time=832 ms
> > 64 bytes from 4.2.2.1: icmp_seq=31 ttl=55 time=812 ms
> > 64 bytes from 4.2.2.1: icmp_seq=32 ttl=55 time=821 ms
> > 64 bytes from 4.2.2.1: icmp_seq=33 ttl=55 time=826 ms
> > 64 bytes from 4.2.2.1: icmp_seq=34 ttl=55 time=815 ms
> > 64 bytes from 4.2.2.1: icmp_seq=35 ttl=55 time=821 ms
> > 64 bytes from 4.2.2.1: icmp_seq=36 ttl=55 time=824 ms
> >
> > top - 19:02:38 up 4 days, 11:26,  4 users,  load average: 0.36, 0.75, 0.82
> > Mem:   4051312k total,  1062964k used,  2988348k free,   167004k buffers
> > Swap:  6094840k total,        0k used,  6094840k free,   680144k cached
> >
> >  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
> >  4245 root      15   0  791m  86m  10m S 39.6  2.2   1192:32 asterisk
> > 18280 root      15   0  3812  600  516 S  2.0  0.0   0:59.00 pppoe
> >  2582 root      15   0  5912  628  504 S  0.3  0.0   2:02.19 syslogd
> > 18978 root      15   0 12744 1096  812 R  0.3  0.0   0:00.02 top
> >    1 root      15   0 10352  700  588 S  0.0  0.0   0:01.14 init
> >    2 root      RT  -5     0    0    0 S  0.0  0.0   0:00.01 migration/0
> >    3 root      34  19     0    0    0 S  0.0  0.0   0:31.90 ksoftirqd/0
> >    4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
> >    5 root      RT  -5     0    0    0 S  0.0  0.0   0:00.01 migration/1
> >    6 root      34  19     0    0    0 S  0.0  0.0   0:08.43 ksoftirqd/1
> >    7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
> >    8 root      RT  -5     0    0    0 S  0.0  0.0   0:00.13 migration/2
> >    9 root      34  19     0    0    0 S  0.0  0.0   2:40.56 ksoftirqd/2
> >   10 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
> >   11 root      RT  -5     0    0    0 S  0.0  0.0   0:00.05 migration/3
> >   12 root      34  19     0    0    0 S  0.0  0.0   0:44.56 ksoftirqd/3
> >   13 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/3
> >   14 root      10  -5     0    0    0 S  0.0  0.0   0:00.02 events/0
> >   15 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/1
> >   16 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/2
> >   17 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/3
> >   18 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khelper
> >   55 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread
> >   62 root      10  -5     0    0    0 S  0.0  0.0   0:00.07 kblockd/0
> >   63 root      10  -5     0    0    0 S  0.0  0.0   0:00.01 kblockd/1
> >   64 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kblockd/2
> >   65 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kblockd/3
> >   66 root      17  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid
> >  166 root      17  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/0
> >  167 root      18  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/1
> >
> >
> >
> > Dave
> >
> >
> >
> > --
> > _____________________________________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> > New to Asterisk? Join us for a live introductory webinar every Thurs:
> >               http://www.asterisk.org/hello
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >   http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users





More information about the asterisk-users mailing list