----- Original Message ----- > On Sun, 11 Apr 2010, David Quinton wrote: > > > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson > > <[email protected]> wrote: > > > >> Just a "heads-up" ... my home asterisk server is being flooded by > >> someone from IP 184.73.17.150 which is an Amazon EC2 instance by > >> the looks of it - > >> they're trying to send SIP subscribes to one account - and they're > >> flooding the requests in - it's averaging some 600Kbits/sec of > >> incoming > >> UDP data or about 200 a second )-: > >> > >> This is much worse than anything else I've seen. > > > > Same her but 184.73.17.122. > > Ah, so not just me then. Looks like someone is (ab)using EC2 to try to > hack peoples systems, and they're not doing it nicely. 200 SIP > registrations a second was enough to have a big impact on my 500MHz > system. > > > Look what they did to my latency, Gordon:- > > http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png > > Oddly enough my latency wasn't being affected at all - however what I > was seeing was my ADSL router being cripped with 200 packets a second > in & out > - to the extent that something would go "bang" inside it and it would > drop the PPPoA session and then re-start. This was an old Draytek 2600 > - I > replaced it with a new Draytek 2820 and it was them fine. > > > I've had bookmarks to Fail2Ban links on my desktop for a year now. > > Guess I'll have to do something about it. > > Fail2ban needs python which I won't run on a PBX, however there are > many iptables runes to help anyway without the need to trawl through > log-files. However, I've blocked it in the draytek aynway. > > The issue for me (and I suspect others) is that while we can firewall > it, the data is still coming down the wires and for those of us who > pay per > byte transfered (or have fixed monthly caps on their broadband > services) it could end up costing money or getting you cut-off. > > > If, hypothetically, I'd put that IP into hosts.deny - would it have > > stopped them? > > /etc/hosts.deny ? No. That would not have stopped it. Although I've > just checked it might - if it's using tcp-wrappers and there is a post > about it > > http://www.mail-archive.com/[email protected]/msg36772.html > > but I don't know if it's implemented yet. > > I emailled Amazon on their ec2-abuse address yesterday, but have not > had a > reply. My bet is that as long as they get the money, they don't care. > > My broadband ISP is slow to react to support emails of this nature and > I'm not sure they would block it anyway. I know my upstream hosting > ISP would > block it at their borders immediately if I asked, but fortunately > they've not attacked them - yet. > > It's still going on - and has been since 6am yesterday - that's now 26 > hours. > > Gordon > Gordon, I have one a while ago hitting my system from EC2. Like yourself I did report it though it took about 24 hours for them to get back to me. They asked for proof that the attack was from one of their IP spaces. I sent the necessary information and the attack did stop. It would be nice if they reacted a bit quicker; though I guess it depends on how many people are reporting issues.
In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would monitor for failed SIP registrations. If a few occurred within a short space of time the Active Response kicks in and blocks the IP address using IPTables. -- Thanks, Phil -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
