<p dir="ltr">Hi,</p>
<p dir="ltr"> Change the protocol from tcp to udp in iptables.<br></p>
<p dir="ltr">~Arun</p>
<div class="gmail_quote">On 27 Jun 2014 20:07, "Anurag Rana" <<a href="mailto:anuragrana31189@gmail.com">anuragrana31189@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br clear="all"></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Hi All.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Someone is attacking on my SIP server.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. </div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I used wireshark to capture the packets.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br></div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. </div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><pre style="font-size:medium"><font color="#0000ff">iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP</font></pre>
</div><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Its something like this</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><font color="#0000ff">Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password</font></div>
<br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">and there are approx 10 request per minute of this type.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Please suggest some way to stop this.</div><br></div><div><br></div>-- <br><div dir="ltr"><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><font size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a href="http://newbie42.blogspot.in/" target="_blank">http://newbie42.blogspot.in/</a></span><br><span style="color:rgb(106,168,79)">On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.</span></font><br>
</font><br></font></font></font></font></span><div><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><br></font></span></div></div>
</div>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div>