[Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
I'm trying to formulate a strategy for our interconnected Asterisk IAX peers to failover to the PSTN in the event of a DDoS. We currently use them like this: DID---PRI---Primary Asterisk---IAX---On-site Asterisk---SIP This works fine, and everyone is happy. One of my concerns, though, is if we get DDoS'd - which happens probably once every couple of years. I'd like to have the dialplan failover to PSTN to shunt calls to the PSTN---User's cell number in the case of a DDoS attack. My current thinking is K.I.S.S - just put the user's cell as the next step in the dialplan. However, I'd like for this to be controllable - when things are working OK, I don't want the calls being routed to the cells *at all*. I also don't want to have an extensions.conf and an extensions_emergency.conf and do the _emergency as an commented out include. I'd like for it to be automatic i.e. Asterisk detects Internet latency is above a certain threshold, then automagically does the cell thing. Any suggestions? I fooled around in Google for about a half hour on this, and of course the Wiki was no help. TIA ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
Colin Anderson wrote: I'm trying to formulate a strategy for our interconnected Asterisk IAX peers to failover to the PSTN in the event of a DDoS. We currently use them like this: DID---PRI---Primary Asterisk---IAX---On-site Asterisk---SIP This works fine, and everyone is happy. One of my concerns, though, is if we get DDoS'd - which happens probably once every couple of years. I'd like to have the dialplan failover to PSTN to shunt calls to the PSTN---User's cell number in the case of a DDoS attack. My current thinking is K.I.S.S - just put the user's cell as the next step in the dialplan. However, I'd like for this to be controllable - when things are working OK, I don't want the calls being routed to the cells *at all*. I also don't want to have an extensions.conf and an extensions_emergency.conf and do the _emergency as an commented out include. I'd like for it to be automatic i.e. Asterisk detects Internet latency is above a certain threshold, then automagically does the cell thing. Any suggestions? I fooled around in Google for about a half hour on this, and of course the Wiki was no help. TIA How about a combination of GotoIF, and app_dbodbc (or app_db): exten = 700,1,playback(ddos-on) exten = 700,2,DBput(DDOS/yes) exten = 701,1,playback(ddos-off) exten = 701,2,DBdel(DDOS/yes) [mymainaa] exten = s,1,DBGET(TRUE=DDOS/yes) exten = s,2,Do this exten =) s,102,do something else Just a very lazy, simple example, but it should work. -- Kristian Kielhofner ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
Primary * box detects DD0S - runs: asterisk -rx database put PANIC DDOS YES and have your dialplan look for that database family/key being set to determine which path it takes. When the primary * box detects that the DD0S is over - runs: asterisk -rx database del PANIC DDOS On Tue, 2005-03-01 at 06:40, Colin Anderson wrote: I'm trying to formulate a strategy for our interconnected Asterisk IAX peers to failover to the PSTN in the event of a DDoS. We currently use them like this: DID---PRI---Primary Asterisk---IAX---On-site Asterisk---SIP This works fine, and everyone is happy. One of my concerns, though, is if we get DDoS'd - which happens probably once every couple of years. I'd like to have the dialplan failover to PSTN to shunt calls to the PSTN---User's cell number in the case of a DDoS attack. My current thinking is K.I.S.S - just put the user's cell as the next step in the dialplan. However, I'd like for this to be controllable - when things are working OK, I don't want the calls being routed to the cells *at all*. I also don't want to have an extensions.conf and an extensions_emergency.conf and do the _emergency as an commented out include. I'd like for it to be automatic i.e. Asterisk detects Internet latency is above a certain threshold, then automagically does the cell thing. Any suggestions? I fooled around in Google for about a half hour on this, and of course the Wiki was no help. TIA ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Howard. LANNet Computing Associates; Your Linux people http://www.lannetlinux.com -- When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft. -- Flatter government, not fatter government; Get rid of the Australian states. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
How about a combination of GotoIF, and app_dbodbc (or app_db): exten = 700,1,playback(ddos-on) exten = 700,2,DBput(DDOS/yes) exten = 701,1,playback(ddos-off) exten = 701,2,DBdel(DDOS/yes) [mymainaa] exten = s,1,DBGET(TRUE=DDOS/yes) exten = s,2,Do this exten =) s,102,do something else My comment: Good suggestion, but requires user intervention. I'm lazy and I want it to be totally transparent. I'm not avaliable most of the time and training someone to do it is not reliable, even my MCSE monkey would have trouble figuring out that we are being DoS'd (NOT my hire!) -and- Primary * box detects DD0S - runs: asterisk -rx database put PANIC DDOS YES and have your dialplan look for that database family/key being set to determine which path it takes. When the primary * box detects that the DD0S is over - runs: asterisk -rx database del PANIC DDOS My comment: Better suggestion, and looks to be workable. What would be a good way to detect latency? A cron job that pings a known host with, say, 2K of data and pipes it back to a shell script? If so, what kind of frequency would be considered effective? Every 30 seconds, 1 minute? ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
Colin Anderson wrote: How about a combination of GotoIF, and app_dbodbc (or app_db): exten = 700,1,playback(ddos-on) exten = 700,2,DBput(DDOS/yes) exten = 701,1,playback(ddos-off) exten = 701,2,DBdel(DDOS/yes) [mymainaa] exten = s,1,DBGET(TRUE=DDOS/yes) exten = s,2,Do this exten =) s,102,do something else My comment: Good suggestion, but requires user intervention. I'm lazy and I want it to be totally transparent. I'm not avaliable most of the time and training someone to do it is not reliable, even my MCSE monkey would have trouble figuring out that we are being DoS'd (NOT my hire!) -and- Primary * box detects DD0S - runs: asterisk -rx database put PANIC DDOS YES and have your dialplan look for that database family/key being set to determine which path it takes. When the primary * box detects that the DD0S is over - runs: asterisk -rx database del PANIC DDOS My comment: Better suggestion, and looks to be workable. What would be a good way to detect latency? A cron job that pings a known host with, say, 2K of data and pipes it back to a shell script? If so, what kind of frequency would be considered effective? Every 30 seconds, 1 minute? His suggestion was basically the same thing, only in mine you would dial an extension to activate DDOS mode instead of running the database put from the command line. How about monitoring your hosts with iax2/sip show peers and parsing that output with a cron job? The ping thing looks like it would be more of a problem than anything else. OR you could run Snort and have it detect the DDOS somehow... Not a snort expert, but it has to be doable. Are these inbound or outbound calls? (both?) I am pretty confused about all of this... -- Kristian Kielhofner ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
On Mon, 2005-02-28 at 14:20 -0600, Kristian Kielhofner wrote: His suggestion was basically the same thing, only in mine you would dial an extension to activate DDOS mode instead of running the database put from the command line. How about monitoring your hosts with iax2/sip show peers and parsing that output with a cron job? The ping thing looks like it would be more of a problem than anything else. OR you could run Snort and have it detect the DDOS somehow... Not a snort expert, but it has to be doable. Are these inbound or outbound calls? (both?) I am pretty confused about all of this... Isn't this what qualify=latency (ie: qualify=200) in your iax/sip.conf files is for? If the latency exceeds 200ms, Asterisk will automatically disable the link, and you can easily use a fail-over method in your dialplan. I think something like isChanAvail() might work for that. -- Kristian Kielhofner ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Mike Benoit [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
Are these inbound or outbound calls? (both?) I am pretty confused about all of this... Sorry, I should have been more specific. The primary Asterisk box that connects with the PRI is the one I am concerned about being DoS'd - the remote IAX peer runs off of a cable modem with a dynamic IP, I have a script that checks it's IP every so often (hopefully before the lease expires!) and updates our DNS at the office accodingly, so we can address the remote host as [EMAIL PROTECTED] etc. Since it's dynamic, and it's on an ISP that is very proactive about DoS attacks, I'm not concerned about the remote host getting hosed, only the primary. The remote host would be inbound and outbound calls, but my users can live with outbound calls being kacked, inbound they would scream blue murder if it didn't work (salespeople) Isn't this what qualify=latency (ie: qualify=200) in your iax/sip.conf files is for? If the latency exceeds 200ms, Asterisk will automatically disable the link, and you can easily use a fail-over method in your dialplan. I think something like isChanAvail() might work for that. I was thinking the same thing too, but from what I have seen qualify=XXX is not universally supported: http://lists.digium.com/pipermail/asterisk-users/2005-January/082657.html We might use an IAX softphone or an IAXy and qualify may or may not be supported. Ideally, I'd like something that is as device / implementation independent as possible. Also, I believe isChanAvail() is boolean with no quality assurances it'd be worse in my context to throw a call out there that has lots of drops than to re-route the call to the PSTN, a lot of users in my organization are leery of VoIP in general and crappy calls would give them ammo to spread FUD about VoIP. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] Recommendation for dialplan in case of DDoS atta cks?
On Tue, 2005-03-01 at 07:11, Colin Anderson wrote: How about a combination of GotoIF, and app_dbodbc (or app_db): exten = 700,1,playback(ddos-on) exten = 700,2,DBput(DDOS/yes) exten = 701,1,playback(ddos-off) exten = 701,2,DBdel(DDOS/yes) [mymainaa] exten = s,1,DBGET(TRUE=DDOS/yes) exten = s,2,Do this exten =) s,102,do something else My comment: Good suggestion, but requires user intervention. I'm lazy and I want it to be totally transparent. I'm not avaliable most of the time and training someone to do it is not reliable, even my MCSE monkey would have trouble figuring out that we are being DoS'd (NOT my hire!) -and- Primary * box detects DD0S - runs: asterisk -rx database put PANIC DDOS YES and have your dialplan look for that database family/key being set to determine which path it takes. When the primary * box detects that the DD0S is over - runs: asterisk -rx database del PANIC DDOS My comment: Better suggestion, and looks to be workable. What would be a good way to detect latency? A cron job that pings a known host with, say, 2K of data and pipes it back to a shell script? If so, what kind of frequency would be considered effective? Every 30 seconds, 1 minute? You would probably need to have 2-3 positive samples over a period of, say, 3 minutes before you triggered the change, otherwise it runs the risk of being too volatile. A short packet ping would probably be better than a long packet transfer. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Howard. LANNet Computing Associates; Your Linux people http://www.lannetlinux.com -- When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft. -- Flatter government, not fatter government; Get rid of the Australian states. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
