[asterisk-users] Being attacked by an Amazon EC2 ...
Norbert Zawodsky
norbert at zawodsky.at
Tue Apr 13 05:14:03 CDT 2010
Am 13.04.2010 10:47, schrieb Gordon Henderson:
> I'd strongly disagree with this. (And I was the OP of this thread and had
> my home/office network connection taken down due to it)
>
> But then, I'm an old worldy Unix sysadmin and the philosophy of having a
> program do one thing well is still etched into my core...
>
> http://en.wikipedia.org/wiki/Unix_philosophy
>
> So get asterisk to do what it does well, then get something else that does
> what you need to do just as well - built-in to Linux are the iptables
> firewall rules. Use them! They are very effective and do work. (And you
> have a choice!)
>
> The biggest issue I see is that people are installing Asterisk and other
> high-level applications on top of Linux (and other *nix'es) without the
> experience of "sysadmin" - then when something goes wrong they want the
> application to fix it rather than apply some basic and pretty fundamental
> sysadmin techniques to solve the issue.
>
> And that means that even having permit= and deny= in sip.conf and
> iax.conf, etc. is too much. With proper OS level firewalling they're
> simply not needed and do nothing more than add another potential point of
> failure and add yet more code to maintain.
>
> Gordon
>
>
I definitely do to agree with Gordon!
"If you have to get your car over a river, try to find a bridge or ferry
instead of trying to teach the car swimming"
O.k., maybe this was a bit polemic. But in some way, it reminds me of
Linux. What I really love ist the very high flexibility.
And I definitely can see Gordon's point, not adding functionality to
programs which somehow "doesn't belong there".
My thought is: It's very easy to write a program/script which connects
to any random IP:port adress and sends packets there. Regardless if the
remote side is responding or not.
This way you can easily eat up the remote side's bandwith and/or data
volume limit. And there's nothing the remote side can do against it
except pulling the plug.
If someone is sending millions of registers triyng to find an entry into
a phone server, the problem is related to asterisk.
But as soon as a firewall can block that, (or even as long as asterisk's
security is strong enough to not let them in), the issue is NOT related
to asterisk any more. From that moment on it is reduced to a "bandwith
eat-up problem" and "belongs" to the area of network administration.
This moves into the direction of an academic discussion titled "what can
I do if someone else eats up my bandwith/data-volume-limit? "
My 2 cents..
BTW, the good news: had no attack here within the last 48 hours.
I implemented the iptables rules to drop packets from various adress
ranges. But log them first. I'd like to see if the bot is continuing if
it doen't get any reponses or if it gives up. But no attack so far....
Norbert
More information about the asterisk-users
mailing list