However, even if you are blocking at your firewall all of these attempts, the bandwidth from your provider to you is the real issue, as it will still be utilized. They run these from locations with fat pipes, so it comes at you like a denial of service attack. If the end system is limited with say a T1 or smaller, it's a real issue for them, and not much they can do.
I have a customer that has had two and three of these being run at the same time, from different locations. It's not co-ordinated, because they are using different versions of the program, and unfortunately, from different countries. Nasty! From: [email protected] [mailto:[email protected]] On Behalf Of Tony Graziano Sent: Thursday, October 14, 2010 1:19 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Under Attack FWIW - I saw my lab system get attacked last night. The attacker kept trying for 30 minutes. During the first 1-2 minutes of the attack, the user "sip" tried to send 5/15/6/15 invites in ten minute intervals. So what that really means is while they were probably sending more copious attempts, the firewall rule really limited the ability to send probably thousands more to the system. My statistics showed a brief spike in new connections at the very beginning of the attack, CPU, RAM, stayed flat. At the same time, anyone shows or posts a log snippet showing detailed logging of an attack from sipx, that happened "after" the fact is perhaps compounding the problem by having logging for various components turned up beyond the defaults, so when an attack happens the I/O processes on your system are further taxed trying to log all of the nonsense... So the attack lasted lasted for 30 minutes, they were only able to send less than 40 invite requests into the system total. ANYONE can send an invite without authentication, it the destination numbers that will be challenged because they are not internal (same as click to call). They were hoping for an open gateway. In any event, my firewall stopped a huge amount and at really no bandwidth or resource loss during the attempt at the firewall, because I implemented my own formulas BEFORE I posted the blog entry... On Thu, Oct 14, 2010 at 3:04 AM, Todd Hodgen <[email protected]> wrote: Welcome to Sipvicious! It really sux. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dan McDaniel Sent: Wednesday, October 13, 2010 9:54 PM To: [email protected] Subject: Re: [sipx-users] Under Attack On Wed 13.Oct.10 23:51, Nathaniel Watkins wrote: >Just checked my cdr records - saw this a few minutes ago. > >sip 00000#442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 00001442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 0001442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 0011#442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 002442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 011#442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 1442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 111442075005000 10/13/10 11:12 PM 00:00:00 Failed >sip 2442075005000 10/13/10 11:13 PM 00:00:00 Failed >sip 8442075005000 10/13/10 11:13 PM 00:00:00 Failed >sip 99442075005000 10/13/10 11:13 PM 00:00:00 Failed >sip 9442075005000 10/13/10 11:13 PM 00:00:00 Failed >sip 00000442075005000 10/13/10 11:25 PM 00:00:00 Failed >sip 000001442075005000 10/13/10 11:25 PM 00:00:00 Failed >sip 00011#442075005000 10/13/10 11:25 PM 00:00:00 Failed >sip 009442075005000 10/13/10 11:25 PM 00:00:00 Failed >sip 009#442075005000 10/13/10 11:25 PM 00:00:00 Failed > >I took the liberty to install/configure the Country Block Option in pfSense... > >This message and any files transmitted with it are intended only for the individual(s) or entity named. If you are not the intended individual(s) or entity named you are hereby notified that any disclosure, copying, distribution or reliance upon its contents is strictly prohibited. If you have received this in error, please notify the sender, delete the original, and destroy all copies. Email transmissions cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Garrett County Government therefore does not accept any liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. > > > Garrett County Government, >203 South Fourth Street, Courthouse, Oakland, Maryland 21550 www.garrettcounty.org >_______________________________________________ >sipx-users mailing list >[email protected] >List Archive: http://list.sipfoundry.org/archive/sipx-users/ > Same here. From 00:34 -01:39 GMT, 14 October. Coming from two addresses apparently in China. -- Dan McDaniel [email protected] Key fingerprint = CAEC B8D9 3701 86CF D3B2 1E99 D8BB F217 455C AD36 _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.326.5325 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Contract Customers: http://support.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
