[asterisk-users] SIP registration DoS but no logs in messages
Paul Hayes
paul at provu.co.uk
Thu Mar 17 09:16:39 CDT 2011
On 17/03/11 05:37, Patrick wrote:
> Dear mailing list,
>
> I've a Asterisk 1.4.21.2~dfsg-3+lenny1 package installed on my debian
> and I've a strange behavior.
>
> After some days running normally, my asterisk is under heavy attack,
> however, there is nothing logged in the console (logging from debug ->
> error) or file (level from notice ->error)
> I can see that there is also a peak on the network traffic.
>
> My first guess is that I'm suffering from a SIP registration DoS, but,
> as there is nothing logged about a "not matching peer" or "incorrect
> password" logged to file, my fail2ban script is not blocking the
> attacker.
>
> I normally restarts Asterisk and logs are restarting to log attacks,
> but, today, it's not working
>
> FYI, I've checked and my loggers are not muted and the logging level
> is at least "notice". I've also reloaded my loggers but no effect.
>
> Do you already have experienced such situation ? Is there any known
> issue with logging module stopping while Asterisk is DoS'ed ?
>
> Best regards,
> Patrick
>
It's possible that fail2ban has already blocked the incoming
registration attempts but the attacker is still blindly sending packets
to you.
Often a sign the attacker is using an old version of sip-vicious, you
can often stop such things by using the "svcrash.py" script they now
provide.
Check your iptables logs.
cheers,
Paul.
More information about the asterisk-users
mailing list