[asterisk-users] Detecting DoS attacks via SIP

Richard Mudgett rmudgett at digium.com
Tue Aug 15 15:09:08 CDT 2017


On Tue, Aug 15, 2017 at 2:37 PM, mdiehl <mdiehlenator at gmail.com> wrote:

> Hi all,
>
> Lately, I've seen an increase in the number of attacks against my system
> from the so-called "Friendly Scanner."  When one of these script kiddies
> targets my server, all I see for symptoms is a few of my trunks become
> lagged due to server load and a stream of messages on the console that
> resemble this:
>
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>
>
> I have to turn on sip debugging to find out who's hitting me.  However, I
> can't just leave it on because it would kill my logging system.
>
> So, how are other people handling this?  Is there an AMI event I want
> watch for?  I watch for PeerStatus, but since there's no actual peer in the
> attack, I don't seem to get an event from AMI.
>
> Any ideas?
>

There is an AMI security class that you can use to monitor the AMI security
events.
See manager.conf.sample

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170815/97ed60eb/attachment.html>


More information about the asterisk-users mailing list