[asterisk-users] Flood of REGISTERs - attack?
Fred Posner
fred at teamforrest.com
Mon Apr 12 15:57:02 CDT 2010
On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote:
> I'm currently receiving over 200 SIP REGISTER requests per second from a
> machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it.
> This has continued for several days, and abuse at staff.aruba.it are
> unresponsive. I've had a couple of similar incidents recently, the
> others originating from uk2.net.
>
> ...snip...
> Has anyone else experienced this? Is this intended as a DOS attack, or
> is it a dictionary attack? Or something else? What is the best strategy
> for dealing with it?
>
> For now I have started rate limiting SIP connections to Asterisk, but
> what is a reasonable rate for each host to be allowed? This is a small
> SOHO installation.
>
> Thanks
>
> Chris
This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/
---fred
http://qxork.com
More information about the asterisk-users
mailing list