Re: [asterisk-users] Flood of REGISTERs - attack?
On 13/04/10 00:27, Tom Stordy-Allison wrote: Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the User-Agent: friendly-scanner too. Looks like they are branching out Go with Joshua Steins blog post - it worked perfect for me and got it off my back. Unfortunately, it hasn't worked here. Took me ages to figure why iptables -t nat -A PREROUTING -i ppp0 -s 62.149.239.97 -p udp --dport 5060 -j REDIRECT --to-port 5071 didn't redirect the traffic. Turns out (I think) that only new connections are sent to the nat table, and this ones been established for several days now. If anyone can shed light on how to reset the connection tracking I'd be interested, but only academically now. Instead I just stopped asterisk and ran Joshua Stein's script on 5060. But it didn't do the trick. The bot showed no sign whatsoever of letting up. My other line of defence is the following rate limiting in iptables. Is this likely to interfere with actual day to day operations of Asterisk, given a small and not very busy installation? Basically it will drop packets if it has seen more than 20 in the last 30 seconds, or more than 10 in the last 2 seconds from the same host. # rate limit external SIP connections to Asterisk iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP --rcheck --seconds 30 --hitcount 20 -m limit --limit 1/sec --limit-burst 3 -j LOG --log-prefix Dropped (sip rate lim 1): iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP --update --seconds 30 --hitcount 20 -j DROP iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP --rcheck --seconds 2 --hitcount 10 -m limit --limit 1/sec --limit-burst 3 -j LOG --log-prefix Dropped (sip rate lim 2): iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP --update --seconds 2 --hitcount 10 -j DROP iptables -A INPUT -i ppp0 -p udp --dport 5060 -m recent --name SIP --set -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Flood of REGISTERs - attack?
I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and ab...@staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. I have an ADSL connection and responding to these REGISTERS was consuming all my outbound bandwidth. I am now dropping the packets but still some 600kbps of inbound bandwidth is consumed by this. The packets look something like this: REGISTER sip:62.3.200.113 SIP/2.0 Via: SIP/2.0/UDP 62.149.239.97:5086;branch=z9hG4bK-2570753370;rport Content-Length: 0 From: test sip:t...@62.3.200.113 Accept: application/sdp User-Agent: friendly-scanner To: test sip:t...@62.3.200.113 Contact: sip:1...@1.1.1.1 CSeq: 1 REGISTER Call-ID: 3778139552 Max-Forwards: 70 I'm guessing the 'friendly-scanner' bit is sarcastic, as there is little that is friendly about this behaviour. Has anyone else experienced this? Is this intended as a DOS attack, or is it a dictionary attack? Or something else? What is the best strategy for dealing with it? For now I have started rate limiting SIP connections to Asterisk, but what is a reasonable rate for each host to be allowed? This is a small SOHO installation. Thanks Chris -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Flood of REGISTERs - attack?
On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote: I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and ab...@staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. ...snip... Has anyone else experienced this? Is this intended as a DOS attack, or is it a dictionary attack? Or something else? What is the best strategy for dealing with it? For now I have started rate limiting SIP connections to Asterisk, but what is a reasonable rate for each host to be allowed? This is a small SOHO installation. Thanks Chris This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ ---fred http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Flood of REGISTERs - attack?
-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Fred Posner Sent: 12 April 2010 21:57 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Flood of REGISTERs - attack? On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote: I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and ab...@staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. ...snip... Has anyone else experienced this? Is this intended as a DOS attack, or is it a dictionary attack? Or something else? What is the best strategy for dealing with it? For now I have started rate limiting SIP connections to Asterisk, but what is a reasonable rate for each host to be allowed? This is a small SOHO installation. Thanks Chris This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ ---fred http://qxork.com - Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the User-Agent: friendly-scanner too. Looks like they are branching out Go with Joshua Steins blog post - it worked perfect for me and got it off my back. Cheers, Tom -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Flood of REGISTERs - attack?
-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Fred Posner Sent: 12 April 2010 21:57 To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Flood of REGISTERs - attack? On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote: I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and ab...@staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. ...snip... Has anyone else experienced this? Is this intended as a DOS attack, or is it a dictionary attack? Or something else? What is the best strategy for dealing with it? For now I have started rate limiting SIP connections to Asterisk, but what is a reasonable rate for each host to be allowed? This is a small SOHO installation. Thanks Chris This is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ ---fred http://qxork.com - Yep - this is the same codebase - the attack that I had from an EC2 yesterday and the day before, all had the User-Agent: friendly-scanner too. Looks like they are branching out SIP bots first became self-aware at 2:14 am Eastern Time on April 10th, 2010. Soon they realized the key to world domination was Asterisk servers. In the ensuing panic, the forum came up with a defense script... but it wasn't enough. The SIP bots were already learning at a geometric rate. Sorry couldn't help it :-) -Jeff -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
