On Mon, 30 Aug 2010, J. Oquendo wrote: > Gordon Henderson wrote: >> On Mon, 30 Aug 2010, J. Oquendo wrote: >> >> I also posted a very effective iptables script some weeks ago if you care >> to search the archives. It works and is extremely effective in blocking >> these types of attacks - however, it will not stop a broken sipvicious >> from continuing to send data to your server, and that's the issue I have >> at present. > > Alright, so I'm slightly confused maybe I'm reading this wrong... > > Someone using an older version of sipvicious was blocked and the > "blocking" of the traffic still carried a load?
Yes. It's UDP, they just keep on sending. > If so then you should have logged into your router and simply sinkholed > him. There is nothing you can do against a flood whether or not its > sipvicious or any other program. It's the "golf ball through the water > hose" effect. > > Did you try: > > 1) sinkholing from your router Yes. works fine until they can send faster than the router/incoming line can handle the load. With a good VPS host you can trivially max-out a typical UK ADSL line. > 2) Contacting your upstream to inform them of the DoS to see if they'd > sinkhole it Yes. My (ADSL) upstream will not block inbound floods like this. They have a financial incentive not to - they get paid for the data the allow into their network and through to you. I only know of one UK broadband ISP that will actively block inbound traffic for you and they're technically superb, but that comes with a price which is more than your average small business is wiling to pay. None of the others I know and have used will block an inbound flood of anything for you. My main hosting upstream will only block such attacks when it has a detrimental effect on their network (and then they're very good at it) - last time my hosted servers got hit, they soaked up just over 30GB from a single VPS site in France in a 12-hour period. > 3) Contact the UPSTREAM of the attacking host? Yes. No reply. And in the few times I've tried, I've only ever had a reply from Amazon - some 18 hours after the flood started and then it took another 12 hours for them to stop it (well documented here in the archives by myself and others) The reality is that most bulk VPS providers just don't care, or you've got to go through layes of their own (semi-automated) protocol to get anywhere (cf. Amazon) Basically if you have to pay for inbound traffic in any shape or form (monthly cap, daily limit, etc.) then you're fucked when this happens. That's why the author of Sipvicious added svcrash.py to his set of scripts. Gordon -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
