> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Fred > Posner > Sent: 12 April 2010 21:57 > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] Flood of REGISTERs - attack? > > On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote: > >> I'm currently receiving over 200 SIP REGISTER requests per second from >> a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. >> This has continued for several days, and [email protected] are >> unresponsive. I've had a couple of similar incidents recently, the >> others originating from uk2.net. >> >> ...snip... >> Has anyone else experienced this? Is this intended as a DOS attack, or >> is it a dictionary attack? Or something else? What is the best >> strategy for dealing with it? >> >> For now I have started rate limiting SIP connections to Asterisk, but >> what is a reasonable rate for each host to be allowed? This is a small >> SOHO installation. >> >> Thanks >> >> Chris > > This is a pretty decent day for this. There's been discussion on the EC2 > attack in progress > (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some > people like a fail2ban approach. Others > are using IP Tables manually or contacting their upstream to block the > traffic. And an interesting redirect solution > was posted by Joshua Stein: > http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ > > ---fred > http://qxork.com > > ----------------- > > Yep - this is the same codebase - the attack that I had from an EC2 yesterday > and the day before, all had the > "User-Agent: friendly-scanner" too. > > Looks like they are branching out....
SIP bots first became self-aware at 2:14 am Eastern Time on April 10th, 2010. Soon they realized the key to world domination was Asterisk servers. In the ensuing panic, the forum came up with a defense script... but it wasn't enough. The SIP bots were already learning at a geometric rate. Sorry couldn't help it :-) -Jeff -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
