[asterisk-users] Detecting DoS attacks via SIP

Patrick Laimbock patrick at laimbock.com
Tue Aug 15 15:54:46 CDT 2017

Hi Mike,

On 15-08-17 21:37, mdiehl wrote:
> Hi all,
> Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner."  When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this:
> I have to turn on sip debugging to find out who's hitting me.  However, I can't just leave it on because it would kill my logging system.
> So, how are other people handling this?  Is there an AMI event I want watch for?  I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI.
> Any ideas?

You can block sipvicious/friendly scanner in iptables with something like:

-A INPUT -p udp --dport 5060 -m string --string "friendly-scanner" 
--algo bm -j DROP

You can also look at xtables with geoip to drop countries (per 
destination port) that should not connect to your Asterisk box. It's a 
big hammer but it works really well.

Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box. 
That's what the telco's/service providers do.


More information about the asterisk-users mailing list