[asterisk-users] Detecting DoS attacks via SIP

[Mark Boyce]

Hi Mike

In this case, if it’s coming from friendly scanner why not drop the packets at the firewall layer so that Asterisk never sees them?

Mark

> On 15 Aug 2017, at 20:37, mdiehl <mdiehlenator at gmail.com> wrote:
> 
> Hi all,
> 
> Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner."  When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this:
> 
> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
> 
> 
> I have to turn on sip debugging to find out who's hitting me.  However, I can't just leave it on because it would kill my logging system.
> 
> So, how are other people handling this?  Is there an AMI event I want watch for?  I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI.
> 
> Any ideas?
> 
> Mike Diehl.
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users