[asterisk-users] being bombarded with SIP packets
Norbert Zawodsky
norbert at zawodsky.at
Thu Oct 28 05:41:24 CDT 2010
Am 28.10.2010 12:14, schrieb Per Jessen:
> Ishfaq Malik wrote:
>
>> On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:
>>> Over the last two weeks, we have had at least two "incidents" where
>>> our asterisk server got flooded (a hundred or more per second) by SIP
>>> packets. Once from 114.31.50.10, second time from 173.212.200.146.
>>> We became aware of the problem when bandwidth started suffering
>>> because asterisk got very busy sending back replies or rejects (dunno
>>> which, I didn't investigate it any further).
>>> The immediate issues were dealt with by having the firewall drop
>>> those packets, but I was wondering:
>>>
>>> 1) if anyone has seen the same problem, and
>>> 2) if you've got some iptables rules for limiting inbound SIP by
>>> rate? (or some such).
>>>
>>>
>>> thanks
>>> Per Jessen, Zürich
>> Was it legitimate requests or a brute force attack? If it was a brute
>> force attack have you considered using fail2ban?
> It appears to be brute force, but I haven't bothered to investigate any
> further. fail2ban is at best a kludge IMHO, and I don't like anything
> (automatically or otherwise) modifying my firewall. Like Nortbert
> suggested, I'll check the archives to see what others have done.
>
>
> /Per Jessen, Zürich
>
Per,
(didn't want to be unfriendly to you !!!!!)
As you say, "you don't like anything to modify your firewal". My words !
Someone (don't remember who & when) on this list showed me a very clever
trick (=iptables rule) to drop the packets if too many of them arrive
within a given period of time. Works really great !!!!!
Do not exatly remember how it was done (and I don't have access to that
machine at the moment to have a look).
I remeber something like
first using iptables module "string" to inspect the packet if it
contains the string "REGISTER sip:"
and then use an iptables "hash bucket" with a limit of x/second
If this limit is exeeded, send the packet to nirvana (= DROP, or if you
like LOG & DROP, or if you like LOG the 1st & DROP all .....)
Norbert
More information about the asterisk-users
mailing list