-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Fred Posner Sent: 12 April 2010 21:57 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Flood of REGISTERs - attack?
On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote: > I'm currently receiving over 200 SIP REGISTER requests per second from > a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. > This has continued for several days, and [email protected] are > unresponsive. I've had a couple of similar incidents recently, the > others originating from uk2.net. > > ...snip... > Has anyone else experienced this? Is this intended as a DOS attack, or > is it a dictionary attack? Or something else? What is the best > strategy for dealing with it? > > For now I have started rate limiting SIP connections to Asterisk, but > what is a reasonable rate for each host to be allowed? This is a small > SOHO installation. > > Thanks > > Chris This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ ---fred http://qxork.com ----------------- Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the "User-Agent: friendly-scanner" too. Looks like they are branching out.... Go with Joshua Steins blog post - it worked perfect for me and got it off my back. Cheers, Tom -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
