[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny
Jian Gao
jian.gao at sjgeophysics.com
Mon Aug 30 18:30:14 CDT 2010
On 10-08-30 01:53 PM, J. Oquendo wrote:
> Gordon Henderson wrote:
>
>> On Mon, 30 Aug 2010, J. Oquendo wrote:
>>
>>
>>
>> I also posted a very effective iptables script some weeks ago if you care
>> to search the archives. It works and is extremely effective in blocking
>> these types of attacks - however, it will not stop a broken sipvicious
>> from continuing to send data to your server, and that's the issue I have
>> at present.
>>
>>
> Alright, so I'm slightly confused maybe I'm reading this wrong...
>
> Someone using an older version of sipvicious was blocked and the
> "blocking" of the traffic still carried a load?
>
> If so then you should have logged into your router and simply sinkholed
> him. There is nothing you can do against a flood whether or not its
> sipvicious or any other program. It's the "golf ball through the water
> hose" effect.
>
> Did you try:
>
> 1) sinkholing from your router
> 2) Contacting your upstream to inform them of the DoS to see if they'd
> sinkhole it
> 3) Contact the UPSTREAM of the attacking host?
>
> +------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
> | hostid | start_date | start_time |
> stop_date | stop_time | attacker | attempts |
> +------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
> | e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 07:54:02 |
> 2010-08-25 | 07:55:54 | 38.99.168.133 | 16022 |
>
> 8K attempts in a minute. There were times last month I'd see upwards of
> 40-60k per minute WHILE I played around with some of these guys in a
> separate Asterisk based honeypot I created. So my confusion: "it will
> not stop a broken sipvicious from continuing to send data to your
> server" Even CURRENT versions of sipvicious won't stop sending data just
> because you firewalled them out.
>
> There is a pattern that many don't see unless your constantly monitoring
> and watching what's going on with your logs/devices. What I see
> firsthand is, there are "bruteforcers" and there are the "toll
> fraudsters." Since this is a public list, I care not to discuss findings
> for obvious reasons however, for those interested in that information,
> feel free to send me a "non-free-mail" (meaning no Gmail, no Hotmail,
> etc) message. If I get around to seeing I should share this information,
> I'd gladly do so... Otherwise I won't disclose anything about honeypots,
> analysis, traffic patterns, etc. Its already surprising I posted
> attacker information on the forum. ;) I see all sorts of attackers,
> attack vectors, numbers dialed, etc., from many of these attackers.
> You'd be surprised how STUPID some are and how SMART others are.
>
> As for your comment though, its confusing to me because if you blocked
> them and they're still overwhelming you, sounds like a) you need more
> bandwidth because you're on a slow connection (I'm on a DS3) or b)
> server is misconfigured. On Linux tc can be your friend
>
>
>
Joshua Stein has an great article on this topic:
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/
--
Jian Gao
More information about the asterisk-users
mailing list