--[ UxBoD ]-- <uxbod <at> splatnix.net> writes: > > ----- Original Message ----- > > On Sun, 11 Apr 2010, David Quinton wrote: > > > > > On Sat, 10 Apr 2010 22:34:28 +0100 (BST), Gordon Henderson > > > <gordon+asterisk <at> drogon.net> wrote: > > > > > >> Just a "heads-up" ... my home asterisk server is being flooded by > > >> someone from IP 184.73.17.150 which is an Amazon EC2 instance by > > >> the looks of it - > > >> they're trying to send SIP subscribes to one account - and they're > > >> flooding the requests in - it's averaging some 600Kbits/sec of > > >> incoming > > >> UDP data or about 200 a second )-: > > >> > > >> This is much worse than anything else I've seen. > > > > > > Same her but 184.73.17.122. > > > > Ah, so not just me then. Looks like someone is (ab)using EC2 to try to > > hack peoples systems, and they're not doing it nicely. 200 SIP > > registrations a second was enough to have a big impact on my 500MHz > > system. > > > > > Look what they did to my latency, Gordon:- > > > http://f8lure.mouselike.org/archived_graphs/westek.bizorg.co.uk_day10.png > > > > Oddly enough my latency wasn't being affected at all - however what I > > was seeing was my ADSL router being cripped with 200 packets a second > > in & out > > - to the extent that something would go "bang" inside it and it would > > drop the PPPoA session and then re-start. This was an old Draytek 2600 > > - I > > replaced it with a new Draytek 2820 and it was them fine. > > > > > I've had bookmarks to Fail2Ban links on my desktop for a year now. > > > Guess I'll have to do something about it. > > > > Fail2ban needs python which I won't run on a PBX, however there are > > many iptables runes to help anyway without the need to trawl through > > log-files. However, I've blocked it in the draytek aynway. > > > > The issue for me (and I suspect others) is that while we can firewall > > it, the data is still coming down the wires and for those of us who > > pay per > > byte transfered (or have fixed monthly caps on their broadband > > services) it could end up costing money or getting you cut-off. > > > > > If, hypothetically, I'd put that IP into hosts.deny - would it have > > > stopped them? > > > > /etc/hosts.deny ? No. That would not have stopped it. Although I've > > just checked it might - if it's using tcp-wrappers and there is a post > > about it > > > > http://www.mail-archive.com/asterisk-dev <at> lists.digium.com/msg36772.html > > > > but I don't know if it's implemented yet. > > > > I emailled Amazon on their ec2-abuse address yesterday, but have not > > had a > > reply. My bet is that as long as they get the money, they don't care. > > > > My broadband ISP is slow to react to support emails of this nature and > > I'm not sure they would block it anyway. I know my upstream hosting > > ISP would > > block it at their borders immediately if I asked, but fortunately > > they've not attacked them - yet. > > > > It's still going on - and has been since 6am yesterday - that's now 26 > > hours. > > > > Gordon > > > Gordon, I have one a while ago hitting my system from EC2. Like yourself I did report it though it took about 24 > hours for them to get back to me. They asked for proof that the attack was from one of their IP spaces. I sent > the necessary information and the attack did stop. It would be nice if they reacted a bit quicker; though I > guess it depends on how many people are reporting issues. > > In the end I set up OSSEC (http://www.ossec.net) and wrote a rule that would monitor for failed SIP > registrations. If a few occurred within a short space of time the Active Response kicks in and blocks the IP > address using IPTables.
Same this end from 184.73.17.150. Use this little piece of iptables magic to block the whole of Amazon's EC2 ip- range. iptables -F iptables -A INPUT -m iprange --src-range 216.182.224.0-216.182.239.255 -j DROP iptables -A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP iptables -A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP iptables -A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP iptables -A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP iptables -A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP iptables -A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP iptables -A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP iptables -A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP iptables -A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP service iptables save This sorts it out in the short-term until Amazon realise their service is being utilised by arseholes. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
