FWIW - I saw my lab system get attacked last night. The attacker kept trying for 30 minutes. During the first 1-2 minutes of the attack, the user "sip" tried to send 5/15/6/15 invites in ten minute intervals. So what that really means is while they were probably sending more copious attempts, the firewall rule really limited the ability to send probably thousands more to the system.
My statistics showed a brief spike in new connections at the very beginning of the attack, CPU, RAM, stayed flat. At the same time, anyone shows or posts a log snippet showing detailed logging of an attack from sipx, that happened "after" the fact is perhaps compounding the problem by having logging for various components turned up beyond the defaults, so when an attack happens the I/O processes on your system are further taxed trying to log all of the nonsense... So the attack lasted lasted for 30 minutes, they were only able to send less than 40 invite requests into the system total. ANYONE can send an invite without authentication, it the destination numbers that will be challenged because they are not internal (same as click to call). They were hoping for an open gateway. In any event, my firewall stopped a huge amount and at really no bandwidth or resource loss during the attempt at the firewall, because I implemented my own formulas BEFORE I posted the blog entry... On Thu, Oct 14, 2010 at 3:04 AM, Todd Hodgen <[email protected]> wrote: > Welcome to Sipvicious! It really sux. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Dan McDaniel > Sent: Wednesday, October 13, 2010 9:54 PM > To: [email protected] > Subject: Re: [sipx-users] Under Attack > > On Wed 13.Oct.10 23:51, Nathaniel Watkins wrote: > >Just checked my cdr records - saw this a few minutes ago. > > > >sip 00000#442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 00001442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 0001442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 0011#442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 002442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 011#442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 1442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 111442075005000 10/13/10 11:12 PM 00:00:00 Failed > >sip 2442075005000 10/13/10 11:13 PM 00:00:00 Failed > >sip 8442075005000 10/13/10 11:13 PM 00:00:00 Failed > >sip 99442075005000 10/13/10 11:13 PM 00:00:00 Failed > >sip 9442075005000 10/13/10 11:13 PM 00:00:00 Failed > >sip 00000442075005000 10/13/10 11:25 PM 00:00:00 Failed > >sip 000001442075005000 10/13/10 11:25 PM 00:00:00 Failed > >sip 00011#442075005000 10/13/10 11:25 PM 00:00:00 Failed > >sip 009442075005000 10/13/10 11:25 PM 00:00:00 Failed > >sip 009#442075005000 10/13/10 11:25 PM 00:00:00 Failed > > > >I took the liberty to install/configure the Country Block Option in > pfSense... > > > >This message and any files transmitted with it are intended only for the > individual(s) or entity named. If you are not the intended individual(s) or > entity named you are hereby notified that any disclosure, copying, > distribution or reliance upon its contents is strictly prohibited. If you > have received this in error, please notify the sender, delete the original, > and destroy all copies. Email transmissions cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. Garrett County > Government therefore does not accept any liability for any errors or > omissions in the contents of this message, which arise as a result of email > transmission. > > > > > > Garrett County Government, > >203 South Fourth Street, Courthouse, Oakland, Maryland 21550 > www.garrettcounty.org > >_______________________________________________ > >sipx-users mailing list > >[email protected] > >List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > Same here. From 00:34 -01:39 GMT, 14 October. Coming from two addresses > apparently in China. > > -- > Dan McDaniel > [email protected] > Key fingerprint = CAEC B8D9 3701 86CF D3B2 1E99 D8BB F217 455C AD36 > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.326.5325 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Contract Customers: http://support.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
