[asterisk-users] Being attacked by an Amazon EC2 ...
Roderick A. Anderson
raanders at cyber-office.net
Mon Apr 12 14:03:55 CDT 2010
Darrick Hartman wrote:
> On 04/12/2010 12:05 PM, Randy R wrote:
>> On Mon, Apr 12, 2010 at 6:51 PM, Darrick Hartman
>> <dhartman at djhsolutions.com> wrote:
<snip />
> Randy,
>
> That only addresses EC2 (and assumes that Amazon has any interest in
> protecting their reputation). What about attacks that come from other
> locations? Granted it's pretty easy to buy time on an EC2 server so
> this may be the primary source for a period of time.
What is a reasonable number of connections attempts per minute?
I have a iptables rule set I use against SSH floods (script kiddies)
that I think could be adapted to work with the method shown at:
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood
My settings allow up to 4 connection attempts per minute and if exceeded
the connection gets dropped. There is a whitelist setting that allows
IPs or ranges to get past this. (I need this for Linux-Vserver guests
as I may connect to more than 4 in a one minute period.)
The this rule set doesn't need to know where the connection came from.
If it tries over four in a minute and it gets dropped.
I run Asterisk for my _very_ small business and provide some support for
another small business. Neither of us has experienced these floods so I
don't know what a reasonable number of connection attempts per minute
(per second?) would be.
Anyway here is the -- untested -- iptables rules:
-N SIPREG_WL
-A SIPREG_WL -s 192.168.0.88 -m recent --remove --name SIPREG -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --set --name SIPREG
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -j SIPREG_WL
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --update --seconds 60 --hitcount 4 --rttl --name SIPREG
-j REDIRECT --to-port 5061
\\||/
Rod
--
More information about the asterisk-users
mailing list