[asterisk-users] Being attacked by an Amazon EC2 ...

Gordon Henderson gordon+asterisk at drogon.net
Sun Apr 11 07:56:22 CDT 2010


On Sun, 11 Apr 2010, Zeeshan Zakaria wrote:

> My experience is that as long as the hackers are getting any kind of
> response from your server, they'll keep their attack on, in a hope that
> they'll get into your system sooner or later. After all it is just some
> computers doing the work for them, no human is phycally getting tired here.
> This is why when you block them in your iptables, and they stop getting
> response from your end, i.e. no ping reply, no sip response, nothing
> basically, then they eventually take their attack somewhere else probably
> because they (or their hack attempt software) either assume that the ip they
> were attacking is no longer valid for the attack or the user has taken
> enough security measures that attacking him is not worth the effort.
>
> On the contrary, my experience, if you don't block them, eventually attacks
> increase. Probably they let their other hacker friends know too that your
> server is a good candidate for hack attempt.

Very probably true...

> Obvoiously its only the ISPs who can truly stop such attacks by blocking
> them at their routers. If the hackers decide to keep bugging you,
> unfortunately nothing can you do to protect your bandwdith waste.
>
> But I wonder if one's router doesn't respond back, e.g. it is physically
> off, and someone is doing such an attack, do the ISPs still consider it
> bandwidth usage?

Intersting - I'm not sure. Currently my router isn't responding, but it 
still has to soak up the packet, and as it's being counted from the ISPs 
end, it's probably being 'counted' towards my allowance.

I don't particularly want to turn it off though - I do all sorts of 
automated backups, etc. overnight as well as monitoring of my hosted 
servers, customers, etc....

However, I've just had a reply back from Amazon to say that they have 
contacted the hosts owner - but that was just over an hour ago, and when I 
removed the firewall rules, they're still trying )-:

Is there any way to sniff the SIP password they're trying? It'd be 
intersting to see what passwords they're guessing - they're trying just 
one account rather than accounts at random.

I've played with sipdump and sipcrack - looks like they're trying a 
different password each time though.

Ho hum.

Gordon



More information about the asterisk-users mailing list