subject:"\[asterisk\-users\] sip attacks"

Re: [asterisk-users] sip attacks

2011-08-01 Thread Faiyaz Ahmed

Dear Robert

Are you at live IP ???

--- On Sun, 7/31/11, Robert-iPhone rhuddles...@gmail.com wrote:

From: Robert-iPhone rhuddles...@gmail.com
Subject: Re: [asterisk-users] sip attacks
To: Asterisk Users Mailing List - Non-Commercial Discussion 
asterisk-users@lists.digium.com
Cc: Asterisk Users Mailing List - Non-Commercial Discussion 
asterisk-users@lists.digium.com
Date: Sunday, July 31, 2011, 4:26 PM

hard to equate sip attack to ping performance.. Run mtr for a bit.
Also try tcpdump or wireshark or tethereal.
If you are really paranoid recycle all your passwords

Sent from my iPhone

On Jul 31, 2011, at 7:04 PM, Dave George dgeo...@teletoneinc.com wrote:

 My asterisk server is getting bogged down every 5 minutes.  My ping time is
 going from 60ms to 800 ms and the call quality is bad.
 
 I have fail2ban running and I am using iptables.  I have two ip connections
 to the box.
 
 How can I tell if the poor performance is due to sip attacks?   I don't see
 any reg attempts in my asterisk cli.  I use to get frequent attacks but
 fail2ban seems to be taking care of that.
 
 See how ping time gets worst in a short space of time and server performance
 at the time:
 
 
 64 bytes from 4.2.2.1: icmp_seq=6 ttl=55 time=87.8 ms
 64 bytes from 4.2.2.1: icmp_seq=7 ttl=55 time=99.8 ms
 64 bytes from 4.2.2.1: icmp_seq=8 ttl=55 time=107 ms
 64 bytes from 4.2.2.1: icmp_seq=9 ttl=55 time=115 ms
 64 bytes from 4.2.2.1: icmp_seq=10 ttl=55 time=120 ms
 64 bytes from 4.2.2.1: icmp_seq=11 ttl=55 time=122 ms
 64 bytes from 4.2.2.1: icmp_seq=12 ttl=55 time=123 ms
 64 bytes from 4.2.2.1: icmp_seq=13 ttl=55 time=126 ms
 64 bytes from 4.2.2.1: icmp_seq=14 ttl=55 time=122 ms
 64 bytes from 4.2.2.1: icmp_seq=15 ttl=55 time=142 ms
 64 bytes from 4.2.2.1: icmp_seq=16 ttl=55 time=142 ms
 64 bytes from 4.2.2.1: icmp_seq=17 ttl=55 time=137 ms
 64 bytes from 4.2.2.1: icmp_seq=18 ttl=55 time=186 ms
 64 bytes from 4.2.2.1: icmp_seq=19 ttl=55 time=255 ms
 64 bytes from 4.2.2.1: icmp_seq=20 ttl=55 time=310 ms
 64 bytes from 4.2.2.1: icmp_seq=21 ttl=55 time=387 ms
 64 bytes from 4.2.2.1: icmp_seq=22 ttl=55 time=445 ms
 64 bytes from 4.2.2.1: icmp_seq=23 ttl=55 time=514 ms
 64 bytes from 4.2.2.1: icmp_seq=24 ttl=55 time=583 ms
 64 bytes from 4.2.2.1: icmp_seq=25 ttl=55 time=650 ms
 64 bytes from 4.2.2.1: icmp_seq=26 ttl=55 time=715 ms
 64 bytes from 4.2.2.1: icmp_seq=27 ttl=55 time=783 ms
 64 bytes from 4.2.2.1: icmp_seq=28 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=29 ttl=55 time=810 ms
 64 bytes from 4.2.2.1: icmp_seq=30 ttl=55 time=832 ms
 64 bytes from 4.2.2.1: icmp_seq=31 ttl=55 time=812 ms
 64 bytes from 4.2.2.1: icmp_seq=32 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=33 ttl=55 time=826 ms
 64 bytes from 4.2.2.1: icmp_seq=34 ttl=55 time=815 ms
 64 bytes from 4.2.2.1: icmp_seq=35 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=36 ttl=55 time=824 ms
 
 top - 19:02:38 up 4 days, 11:26,  4 users,  load average: 0.36, 0.75, 0.82
 Mem:   4051312k total,  1062964k used,  2988348k free,   167004k buffers
 Swap:  6094840k total,        0k used,  6094840k free,   680144k cached
 
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4245 root      15   0  791m  86m  10m S 39.6  2.2   1192:32 asterisk
 18280 root      15   0  3812  600  516 S  2.0  0.0   0:59.00 pppoe
 2582 root      15   0  5912  628  504 S  0.3  0.0   2:02.19 syslogd
 18978 root      15   0 12744 1096  812 R  0.3  0.0   0:00.02 top
    1 root      15   0 10352  700  588 S  0.0  0.0   0:01.14 init
    2 root      RT  -5     0    0    0 S  0.0  0.0   0:00.01 migration/0
    3 root      34  19     0    0    0 S  0.0  0.0   0:31.90 ksoftirqd/0
    4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
    5 root      RT  -5     0    0    0 S  0.0  0.0   0:00.01 migration/1
    6 root      34  19     0    0    0 S  0.0  0.0   0:08.43 ksoftirqd/1
    7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
    8 root      RT  -5     0    0    0 S  0.0  0.0   0:00.13 migration/2
    9 root      34  19     0    0    0 S  0.0  0.0   2:40.56 ksoftirqd/2
   10 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
   11 root      RT  -5     0    0    0 S  0.0  0.0   0:00.05 migration/3
   12 root      34  19     0    0    0 S  0.0  0.0   0:44.56 ksoftirqd/3
   13 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/3
   14 root      10  -5     0    0    0 S  0.0  0.0   0:00.02 events/0
   15 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/1
   16 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/2
   17 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/3
   18 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khelper
   55 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread
   62 root      10  -5     0    0    0 S  0.0  0.0   0:00.07 kblockd/0
   63 root      10  -5     0    0    0 S  0.0  0.0   0:00.01 kblockd/1
   64 root      10  -5     0    0    0 S

[asterisk-users] sip attacks

2011-07-31 Thread Dave George

My asterisk server is getting bogged down every 5 minutes.  My ping time is
going from 60ms to 800 ms and the call quality is bad.

I have fail2ban running and I am using iptables.  I have two ip connections
to the box.

How can I tell if the poor performance is due to sip attacks?   I don't see
any reg attempts in my asterisk cli.  I use to get frequent attacks but
fail2ban seems to be taking care of that.

See how ping time gets worst in a short space of time and server performance
at the time:


64 bytes from 4.2.2.1: icmp_seq=6 ttl=55 time=87.8 ms
64 bytes from 4.2.2.1: icmp_seq=7 ttl=55 time=99.8 ms
64 bytes from 4.2.2.1: icmp_seq=8 ttl=55 time=107 ms
64 bytes from 4.2.2.1: icmp_seq=9 ttl=55 time=115 ms
64 bytes from 4.2.2.1: icmp_seq=10 ttl=55 time=120 ms
64 bytes from 4.2.2.1: icmp_seq=11 ttl=55 time=122 ms
64 bytes from 4.2.2.1: icmp_seq=12 ttl=55 time=123 ms
64 bytes from 4.2.2.1: icmp_seq=13 ttl=55 time=126 ms
64 bytes from 4.2.2.1: icmp_seq=14 ttl=55 time=122 ms
64 bytes from 4.2.2.1: icmp_seq=15 ttl=55 time=142 ms
64 bytes from 4.2.2.1: icmp_seq=16 ttl=55 time=142 ms
64 bytes from 4.2.2.1: icmp_seq=17 ttl=55 time=137 ms
64 bytes from 4.2.2.1: icmp_seq=18 ttl=55 time=186 ms
64 bytes from 4.2.2.1: icmp_seq=19 ttl=55 time=255 ms
64 bytes from 4.2.2.1: icmp_seq=20 ttl=55 time=310 ms
64 bytes from 4.2.2.1: icmp_seq=21 ttl=55 time=387 ms
64 bytes from 4.2.2.1: icmp_seq=22 ttl=55 time=445 ms
64 bytes from 4.2.2.1: icmp_seq=23 ttl=55 time=514 ms
64 bytes from 4.2.2.1: icmp_seq=24 ttl=55 time=583 ms
64 bytes from 4.2.2.1: icmp_seq=25 ttl=55 time=650 ms
64 bytes from 4.2.2.1: icmp_seq=26 ttl=55 time=715 ms
64 bytes from 4.2.2.1: icmp_seq=27 ttl=55 time=783 ms
64 bytes from 4.2.2.1: icmp_seq=28 ttl=55 time=821 ms
64 bytes from 4.2.2.1: icmp_seq=29 ttl=55 time=810 ms
64 bytes from 4.2.2.1: icmp_seq=30 ttl=55 time=832 ms
64 bytes from 4.2.2.1: icmp_seq=31 ttl=55 time=812 ms
64 bytes from 4.2.2.1: icmp_seq=32 ttl=55 time=821 ms
64 bytes from 4.2.2.1: icmp_seq=33 ttl=55 time=826 ms
64 bytes from 4.2.2.1: icmp_seq=34 ttl=55 time=815 ms
64 bytes from 4.2.2.1: icmp_seq=35 ttl=55 time=821 ms
64 bytes from 4.2.2.1: icmp_seq=36 ttl=55 time=824 ms

top - 19:02:38 up 4 days, 11:26,  4 users,  load average: 0.36, 0.75, 0.82
Mem:   4051312k total,  1062964k used,  2988348k free,   167004k buffers
Swap:  6094840k total,0k used,  6094840k free,   680144k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
 4245 root  15   0  791m  86m  10m S 39.6  2.2   1192:32 asterisk
18280 root  15   0  3812  600  516 S  2.0  0.0   0:59.00 pppoe
 2582 root  15   0  5912  628  504 S  0.3  0.0   2:02.19 syslogd
18978 root  15   0 12744 1096  812 R  0.3  0.0   0:00.02 top
1 root  15   0 10352  700  588 S  0.0  0.0   0:01.14 init
2 root  RT  -5 000 S  0.0  0.0   0:00.01 migration/0
3 root  34  19 000 S  0.0  0.0   0:31.90 ksoftirqd/0
4 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/0
5 root  RT  -5 000 S  0.0  0.0   0:00.01 migration/1
6 root  34  19 000 S  0.0  0.0   0:08.43 ksoftirqd/1
7 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/1
8 root  RT  -5 000 S  0.0  0.0   0:00.13 migration/2
9 root  34  19 000 S  0.0  0.0   2:40.56 ksoftirqd/2
   10 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/2
   11 root  RT  -5 000 S  0.0  0.0   0:00.05 migration/3
   12 root  34  19 000 S  0.0  0.0   0:44.56 ksoftirqd/3
   13 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/3
   14 root  10  -5 000 S  0.0  0.0   0:00.02 events/0
   15 root  10  -5 000 S  0.0  0.0   0:00.00 events/1
   16 root  10  -5 000 S  0.0  0.0   0:00.00 events/2
   17 root  10  -5 000 S  0.0  0.0   0:00.00 events/3
   18 root  10  -5 000 S  0.0  0.0   0:00.00 khelper
   55 root  10  -5 000 S  0.0  0.0   0:00.00 kthread
   62 root  10  -5 000 S  0.0  0.0   0:00.07 kblockd/0
   63 root  10  -5 000 S  0.0  0.0   0:00.01 kblockd/1
   64 root  10  -5 000 S  0.0  0.0   0:00.00 kblockd/2
   65 root  10  -5 000 S  0.0  0.0   0:00.00 kblockd/3
   66 root  17  -5 000 S  0.0  0.0   0:00.00 kacpid
  166 root  17  -5 000 S  0.0  0.0   0:00.00 cqueue/0
  167 root  18  -5 000 S  0.0  0.0   0:00.00 cqueue/1



Dave



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] sip attacks

2011-07-31 Thread Robert-iPhone

hard to equate sip attack to ping performance.. Run mtr for a bit.
Also try tcpdump or wireshark or tethereal.
If you are really paranoid recycle all your passwords

Sent from my iPhone

On Jul 31, 2011, at 7:04 PM, Dave George dgeo...@teletoneinc.com wrote:

 My asterisk server is getting bogged down every 5 minutes.  My ping time is
 going from 60ms to 800 ms and the call quality is bad.
 
 I have fail2ban running and I am using iptables.  I have two ip connections
 to the box.
 
 How can I tell if the poor performance is due to sip attacks?   I don't see
 any reg attempts in my asterisk cli.  I use to get frequent attacks but
 fail2ban seems to be taking care of that.
 
 See how ping time gets worst in a short space of time and server performance
 at the time:
 
 
 64 bytes from 4.2.2.1: icmp_seq=6 ttl=55 time=87.8 ms
 64 bytes from 4.2.2.1: icmp_seq=7 ttl=55 time=99.8 ms
 64 bytes from 4.2.2.1: icmp_seq=8 ttl=55 time=107 ms
 64 bytes from 4.2.2.1: icmp_seq=9 ttl=55 time=115 ms
 64 bytes from 4.2.2.1: icmp_seq=10 ttl=55 time=120 ms
 64 bytes from 4.2.2.1: icmp_seq=11 ttl=55 time=122 ms
 64 bytes from 4.2.2.1: icmp_seq=12 ttl=55 time=123 ms
 64 bytes from 4.2.2.1: icmp_seq=13 ttl=55 time=126 ms
 64 bytes from 4.2.2.1: icmp_seq=14 ttl=55 time=122 ms
 64 bytes from 4.2.2.1: icmp_seq=15 ttl=55 time=142 ms
 64 bytes from 4.2.2.1: icmp_seq=16 ttl=55 time=142 ms
 64 bytes from 4.2.2.1: icmp_seq=17 ttl=55 time=137 ms
 64 bytes from 4.2.2.1: icmp_seq=18 ttl=55 time=186 ms
 64 bytes from 4.2.2.1: icmp_seq=19 ttl=55 time=255 ms
 64 bytes from 4.2.2.1: icmp_seq=20 ttl=55 time=310 ms
 64 bytes from 4.2.2.1: icmp_seq=21 ttl=55 time=387 ms
 64 bytes from 4.2.2.1: icmp_seq=22 ttl=55 time=445 ms
 64 bytes from 4.2.2.1: icmp_seq=23 ttl=55 time=514 ms
 64 bytes from 4.2.2.1: icmp_seq=24 ttl=55 time=583 ms
 64 bytes from 4.2.2.1: icmp_seq=25 ttl=55 time=650 ms
 64 bytes from 4.2.2.1: icmp_seq=26 ttl=55 time=715 ms
 64 bytes from 4.2.2.1: icmp_seq=27 ttl=55 time=783 ms
 64 bytes from 4.2.2.1: icmp_seq=28 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=29 ttl=55 time=810 ms
 64 bytes from 4.2.2.1: icmp_seq=30 ttl=55 time=832 ms
 64 bytes from 4.2.2.1: icmp_seq=31 ttl=55 time=812 ms
 64 bytes from 4.2.2.1: icmp_seq=32 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=33 ttl=55 time=826 ms
 64 bytes from 4.2.2.1: icmp_seq=34 ttl=55 time=815 ms
 64 bytes from 4.2.2.1: icmp_seq=35 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=36 ttl=55 time=824 ms
 
 top - 19:02:38 up 4 days, 11:26,  4 users,  load average: 0.36, 0.75, 0.82
 Mem:   4051312k total,  1062964k used,  2988348k free,   167004k buffers
 Swap:  6094840k total,0k used,  6094840k free,   680144k cached
 
  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
 4245 root  15   0  791m  86m  10m S 39.6  2.2   1192:32 asterisk
 18280 root  15   0  3812  600  516 S  2.0  0.0   0:59.00 pppoe
 2582 root  15   0  5912  628  504 S  0.3  0.0   2:02.19 syslogd
 18978 root  15   0 12744 1096  812 R  0.3  0.0   0:00.02 top
1 root  15   0 10352  700  588 S  0.0  0.0   0:01.14 init
2 root  RT  -5 000 S  0.0  0.0   0:00.01 migration/0
3 root  34  19 000 S  0.0  0.0   0:31.90 ksoftirqd/0
4 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/0
5 root  RT  -5 000 S  0.0  0.0   0:00.01 migration/1
6 root  34  19 000 S  0.0  0.0   0:08.43 ksoftirqd/1
7 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/1
8 root  RT  -5 000 S  0.0  0.0   0:00.13 migration/2
9 root  34  19 000 S  0.0  0.0   2:40.56 ksoftirqd/2
   10 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/2
   11 root  RT  -5 000 S  0.0  0.0   0:00.05 migration/3
   12 root  34  19 000 S  0.0  0.0   0:44.56 ksoftirqd/3
   13 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/3
   14 root  10  -5 000 S  0.0  0.0   0:00.02 events/0
   15 root  10  -5 000 S  0.0  0.0   0:00.00 events/1
   16 root  10  -5 000 S  0.0  0.0   0:00.00 events/2
   17 root  10  -5 000 S  0.0  0.0   0:00.00 events/3
   18 root  10  -5 000 S  0.0  0.0   0:00.00 khelper
   55 root  10  -5 000 S  0.0  0.0   0:00.00 kthread
   62 root  10  -5 000 S  0.0  0.0   0:00.07 kblockd/0
   63 root  10  -5 000 S  0.0  0.0   0:00.01 kblockd/1
   64 root  10  -5 000 S  0.0  0.0   0:00.00 kblockd/2
   65 root  10  -5 000 S  0.0  0.0   0:00.00 kblockd/3
   66 root  17  -5 000 S  0.0  0.0   0:00.00 kacpid
  166 root  17  -5 000 S  0.0  0.0   0:00.00 cqueue/0
  167 root  18  -5 000 S  0.0  0.0   0:00.00 cqueue/1
 
 
 
 Dave
 
 
 
 --
 _
 --

Re: [asterisk-users] sip attacks

2011-07-31 Thread C F

How long ago was the last block from fail2ban?
What could be is that the attacker hasn't yet realized that he has
been blocked and is still trying, which although blocked by iptables
it is still coming down the line for attempted connections.

On Sun, Jul 31, 2011 at 7:04 PM, Dave George dgeo...@teletoneinc.com wrote:
 My asterisk server is getting bogged down every 5 minutes.  My ping time is
 going from 60ms to 800 ms and the call quality is bad.

 I have fail2ban running and I am using iptables.  I have two ip connections
 to the box.

 How can I tell if the poor performance is due to sip attacks?   I don't see
 any reg attempts in my asterisk cli.  I use to get frequent attacks but
 fail2ban seems to be taking care of that.

 See how ping time gets worst in a short space of time and server performance
 at the time:


 64 bytes from 4.2.2.1: icmp_seq=6 ttl=55 time=87.8 ms
 64 bytes from 4.2.2.1: icmp_seq=7 ttl=55 time=99.8 ms
 64 bytes from 4.2.2.1: icmp_seq=8 ttl=55 time=107 ms
 64 bytes from 4.2.2.1: icmp_seq=9 ttl=55 time=115 ms
 64 bytes from 4.2.2.1: icmp_seq=10 ttl=55 time=120 ms
 64 bytes from 4.2.2.1: icmp_seq=11 ttl=55 time=122 ms
 64 bytes from 4.2.2.1: icmp_seq=12 ttl=55 time=123 ms
 64 bytes from 4.2.2.1: icmp_seq=13 ttl=55 time=126 ms
 64 bytes from 4.2.2.1: icmp_seq=14 ttl=55 time=122 ms
 64 bytes from 4.2.2.1: icmp_seq=15 ttl=55 time=142 ms
 64 bytes from 4.2.2.1: icmp_seq=16 ttl=55 time=142 ms
 64 bytes from 4.2.2.1: icmp_seq=17 ttl=55 time=137 ms
 64 bytes from 4.2.2.1: icmp_seq=18 ttl=55 time=186 ms
 64 bytes from 4.2.2.1: icmp_seq=19 ttl=55 time=255 ms
 64 bytes from 4.2.2.1: icmp_seq=20 ttl=55 time=310 ms
 64 bytes from 4.2.2.1: icmp_seq=21 ttl=55 time=387 ms
 64 bytes from 4.2.2.1: icmp_seq=22 ttl=55 time=445 ms
 64 bytes from 4.2.2.1: icmp_seq=23 ttl=55 time=514 ms
 64 bytes from 4.2.2.1: icmp_seq=24 ttl=55 time=583 ms
 64 bytes from 4.2.2.1: icmp_seq=25 ttl=55 time=650 ms
 64 bytes from 4.2.2.1: icmp_seq=26 ttl=55 time=715 ms
 64 bytes from 4.2.2.1: icmp_seq=27 ttl=55 time=783 ms
 64 bytes from 4.2.2.1: icmp_seq=28 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=29 ttl=55 time=810 ms
 64 bytes from 4.2.2.1: icmp_seq=30 ttl=55 time=832 ms
 64 bytes from 4.2.2.1: icmp_seq=31 ttl=55 time=812 ms
 64 bytes from 4.2.2.1: icmp_seq=32 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=33 ttl=55 time=826 ms
 64 bytes from 4.2.2.1: icmp_seq=34 ttl=55 time=815 ms
 64 bytes from 4.2.2.1: icmp_seq=35 ttl=55 time=821 ms
 64 bytes from 4.2.2.1: icmp_seq=36 ttl=55 time=824 ms

 top - 19:02:38 up 4 days, 11:26,  4 users,  load average: 0.36, 0.75, 0.82
 Mem:   4051312k total,  1062964k used,  2988348k free,   167004k buffers
 Swap:  6094840k total,        0k used,  6094840k free,   680144k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
  4245 root      15   0  791m  86m  10m S 39.6  2.2   1192:32 asterisk
 18280 root      15   0  3812  600  516 S  2.0  0.0   0:59.00 pppoe
  2582 root      15   0  5912  628  504 S  0.3  0.0   2:02.19 syslogd
 18978 root      15   0 12744 1096  812 R  0.3  0.0   0:00.02 top
    1 root      15   0 10352  700  588 S  0.0  0.0   0:01.14 init
    2 root      RT  -5     0    0    0 S  0.0  0.0   0:00.01 migration/0
    3 root      34  19     0    0    0 S  0.0  0.0   0:31.90 ksoftirqd/0
    4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
    5 root      RT  -5     0    0    0 S  0.0  0.0   0:00.01 migration/1
    6 root      34  19     0    0    0 S  0.0  0.0   0:08.43 ksoftirqd/1
    7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
    8 root      RT  -5     0    0    0 S  0.0  0.0   0:00.13 migration/2
    9 root      34  19     0    0    0 S  0.0  0.0   2:40.56 ksoftirqd/2
   10 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
   11 root      RT  -5     0    0    0 S  0.0  0.0   0:00.05 migration/3
   12 root      34  19     0    0    0 S  0.0  0.0   0:44.56 ksoftirqd/3
   13 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/3
   14 root      10  -5     0    0    0 S  0.0  0.0   0:00.02 events/0
   15 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/1
   16 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/2
   17 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/3
   18 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khelper
   55 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread
   62 root      10  -5     0    0    0 S  0.0  0.0   0:00.07 kblockd/0
   63 root      10  -5     0    0    0 S  0.0  0.0   0:00.01 kblockd/1
   64 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kblockd/2
   65 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kblockd/3
   66 root      17  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid
  166 root      17  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/0
  167 root      18  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/1



 Dave



 --

Re: [asterisk-users] sip attacks

2011-07-31 Thread Bill Kenworthy

How big is the blocklist from fail2ban? - a few thousand entries and the
network stack performance degrades.

BillK


On Sun, 2011-07-31 at 19:54 -0400, C F wrote:
 How long ago was the last block from fail2ban?
 What could be is that the attacker hasn't yet realized that he has
 been blocked and is still trying, which although blocked by iptables
 it is still coming down the line for attempted connections.
 
 On Sun, Jul 31, 2011 at 7:04 PM, Dave George dgeo...@teletoneinc.com wrote:
  My asterisk server is getting bogged down every 5 minutes.  My ping time is
  going from 60ms to 800 ms and the call quality is bad.
 
  I have fail2ban running and I am using iptables.  I have two ip connections
  to the box.
 
  How can I tell if the poor performance is due to sip attacks?   I don't see
  any reg attempts in my asterisk cli.  I use to get frequent attacks but
  fail2ban seems to be taking care of that.
 
  See how ping time gets worst in a short space of time and server performance
  at the time:
 
 
  64 bytes from 4.2.2.1: icmp_seq=6 ttl=55 time=87.8 ms
  64 bytes from 4.2.2.1: icmp_seq=7 ttl=55 time=99.8 ms
  64 bytes from 4.2.2.1: icmp_seq=8 ttl=55 time=107 ms
  64 bytes from 4.2.2.1: icmp_seq=9 ttl=55 time=115 ms
  64 bytes from 4.2.2.1: icmp_seq=10 ttl=55 time=120 ms
  64 bytes from 4.2.2.1: icmp_seq=11 ttl=55 time=122 ms
  64 bytes from 4.2.2.1: icmp_seq=12 ttl=55 time=123 ms
  64 bytes from 4.2.2.1: icmp_seq=13 ttl=55 time=126 ms
  64 bytes from 4.2.2.1: icmp_seq=14 ttl=55 time=122 ms
  64 bytes from 4.2.2.1: icmp_seq=15 ttl=55 time=142 ms
  64 bytes from 4.2.2.1: icmp_seq=16 ttl=55 time=142 ms
  64 bytes from 4.2.2.1: icmp_seq=17 ttl=55 time=137 ms
  64 bytes from 4.2.2.1: icmp_seq=18 ttl=55 time=186 ms
  64 bytes from 4.2.2.1: icmp_seq=19 ttl=55 time=255 ms
  64 bytes from 4.2.2.1: icmp_seq=20 ttl=55 time=310 ms
  64 bytes from 4.2.2.1: icmp_seq=21 ttl=55 time=387 ms
  64 bytes from 4.2.2.1: icmp_seq=22 ttl=55 time=445 ms
  64 bytes from 4.2.2.1: icmp_seq=23 ttl=55 time=514 ms
  64 bytes from 4.2.2.1: icmp_seq=24 ttl=55 time=583 ms
  64 bytes from 4.2.2.1: icmp_seq=25 ttl=55 time=650 ms
  64 bytes from 4.2.2.1: icmp_seq=26 ttl=55 time=715 ms
  64 bytes from 4.2.2.1: icmp_seq=27 ttl=55 time=783 ms
  64 bytes from 4.2.2.1: icmp_seq=28 ttl=55 time=821 ms
  64 bytes from 4.2.2.1: icmp_seq=29 ttl=55 time=810 ms
  64 bytes from 4.2.2.1: icmp_seq=30 ttl=55 time=832 ms
  64 bytes from 4.2.2.1: icmp_seq=31 ttl=55 time=812 ms
  64 bytes from 4.2.2.1: icmp_seq=32 ttl=55 time=821 ms
  64 bytes from 4.2.2.1: icmp_seq=33 ttl=55 time=826 ms
  64 bytes from 4.2.2.1: icmp_seq=34 ttl=55 time=815 ms
  64 bytes from 4.2.2.1: icmp_seq=35 ttl=55 time=821 ms
  64 bytes from 4.2.2.1: icmp_seq=36 ttl=55 time=824 ms
 
  top - 19:02:38 up 4 days, 11:26,  4 users,  load average: 0.36, 0.75, 0.82
  Mem:   4051312k total,  1062964k used,  2988348k free,   167004k buffers
  Swap:  6094840k total,0k used,  6094840k free,   680144k cached
 
   PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
   4245 root  15   0  791m  86m  10m S 39.6  2.2   1192:32 asterisk
  18280 root  15   0  3812  600  516 S  2.0  0.0   0:59.00 pppoe
   2582 root  15   0  5912  628  504 S  0.3  0.0   2:02.19 syslogd
  18978 root  15   0 12744 1096  812 R  0.3  0.0   0:00.02 top
 1 root  15   0 10352  700  588 S  0.0  0.0   0:01.14 init
 2 root  RT  -5 000 S  0.0  0.0   0:00.01 migration/0
 3 root  34  19 000 S  0.0  0.0   0:31.90 ksoftirqd/0
 4 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/0
 5 root  RT  -5 000 S  0.0  0.0   0:00.01 migration/1
 6 root  34  19 000 S  0.0  0.0   0:08.43 ksoftirqd/1
 7 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/1
 8 root  RT  -5 000 S  0.0  0.0   0:00.13 migration/2
 9 root  34  19 000 S  0.0  0.0   2:40.56 ksoftirqd/2
10 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/2
11 root  RT  -5 000 S  0.0  0.0   0:00.05 migration/3
12 root  34  19 000 S  0.0  0.0   0:44.56 ksoftirqd/3
13 root  RT  -5 000 S  0.0  0.0   0:00.00 watchdog/3
14 root  10  -5 000 S  0.0  0.0   0:00.02 events/0
15 root  10  -5 000 S  0.0  0.0   0:00.00 events/1
16 root  10  -5 000 S  0.0  0.0   0:00.00 events/2
17 root  10  -5 000 S  0.0  0.0   0:00.00 events/3
18 root  10  -5 000 S  0.0  0.0   0:00.00 khelper
55 root  10  -5 000 S  0.0  0.0   0:00.00 kthread
62 root  10  -5 000 S  0.0  0.0   0:00.07 kblockd/0
63 root  10  -5 000 S  0.0  0.0   0:00.01 kblockd/1
64 root  10  -5 000 S  0.0  0.0   0:00.00 kblockd/2
65 root  10  -5 000 S  0.0  0.0   0:00.00 kblockd/3

[asterisk-users] SIP attacks

2009-03-04 Thread Thomas Kenyon

I have been receiving a lot of hack attempts today (home and work) 
multiple SIP registration requests (none of them managed to find a 
relevant username before fail2ban kicked in).

Is this happening to a lot of people now?

I only have SIP available externally for enum purposes, is it possible 
on a host which is specified as dynamic to choose a valid hostmask in 
sip.conf on a per peer/user basis?

TIA for any response to this.

___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] SIP attacks

2009-03-04 Thread Tilghman Lesher

On Wednesday 04 March 2009 11:34:23 Thomas Kenyon wrote:
 I have been receiving a lot of hack attempts today (home and work)
 multiple SIP registration requests (none of them managed to find a
 relevant username before fail2ban kicked in).

 Is this happening to a lot of people now?

 I only have SIP available externally for enum purposes, is it possible
 on a host which is specified as dynamic to choose a valid hostmask in
 sip.conf on a per peer/user basis?

 TIA for any response to this.

Yes, you can use the permit/deny labels to specify an IP mask that is eligible
to authenticate:
deny=0.0.0.0/0
permit=192.168.0.0/16
permit=172.16.0.0/12
permit=10.0.0.0/8

By the way, after the slash, you can use either CIDR notation or a netmask.

-- 
Tilghman

___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] SIP attacks

2009-03-04 Thread Thomas Kenyon

Tilghman Lesher wrote:
 
 Yes, you can use the permit/deny labels to specify an IP mask that is eligible
 to authenticate:
 deny=0.0.0.0/0
 permit=192.168.0.0/16
 permit=172.16.0.0/12
 permit=10.0.0.0/8
 
 By the way, after the slash, you can use either CIDR notation or a netmask.
 
Thanks.

___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] sip attacks

[asterisk-users] sip attacks

Re: [asterisk-users] sip attacks

Re: [asterisk-users] sip attacks

Re: [asterisk-users] sip attacks

[asterisk-users] SIP attacks

Re: [asterisk-users] SIP attacks

Re: [asterisk-users] SIP attacks

8 matches

Site Navigation

Mail list logo

Footer information