[asterisk-users] Under heavy attack
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun Oct 31 03:40:58 CDT 2010
On Sat, Oct 30, 2010 at 07:33:23PM -0600, Joel Maslak wrote:
> The CPU usage is trivial to deny them. As is the bandwidth usage, if
> you are not sitting on a slowish broadband connection.
s/slow/assymetric/
>
> Sure blocking doesn't hurt, but does the help it provides exceed the
> downsides (effort and risk of blocking legitimate users)? I suspect it doesn't...if you have strong passwords. If you have weak passwords, you should fix that.
>
> It also seems that the only way to make blocking effective is to
> block everything by default except known endpoints. Blocking the
> door knickers doesn't protect against a bad guy finding (not through
> brute force) valid credentials.
Unless you have people on the road.
Or unless you have people who want to actually use the peer-to-peer
nature of SIP and call your SIP address.
>
> For me, monitoring outbound call volume makes a lot more sense.
> I would love to see an easy to use, out of the box method to alert
> me if more than "x" number of erlangs* are exceeded within a five
> minute, sixty minute, and one day time period. For me, I would want
> alerting on more than 10 erlangs over five minutes, 8 over an hour,
> and 2 over a day. Exceeding these would likely indicate fraud for
> my installation. Smaller sites would use smaller numbers, larger
> ones would use bigger ones.
I suspect even munin would provide you such options. Not to mention any
more capable monitor.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list