On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote: > I'm currently receiving over 200 SIP REGISTER requests per second from a > machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. > This has continued for several days, and [email protected] are > unresponsive. I've had a couple of similar incidents recently, the > others originating from uk2.net. > > ...snip... > Has anyone else experienced this? Is this intended as a DOS attack, or > is it a dictionary attack? Or something else? What is the best strategy > for dealing with it? > > For now I have started rate limiting SIP connections to Asterisk, but > what is a reasonable rate for each host to be allowed? This is a small > SOHO installation. > > Thanks > > Chris
This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ ---fred http://qxork.com -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
