Sounds like a SIP DOS or possibly brute-force attack. We get them from time to time.
On Thu, Oct 7, 2010 at 3:22 PM, Kurt Fankhauser <[email protected]> wrote: > I never have had this happen for 6 years until I got my new fiber line > installed form Time Warner. Apparently a few times a day somone starts a > relay of SIP connections (or so it appears) through my fiber connection. It > maxes out the download and upload of my 30/30 meg fiber and has about > 30k-50k packets-per-second coming in and going right back out at the same > time it maxes out the RB1000 CPU usage. Most of the time the problem only > last for a few minutes but earlier today it lasted for over an hour. I have > attached a few screenshots from Winbox during the attack. The 98.102.246.252 > address is the address that all my NAT customers are being SRCNAT'ed to. > Does anyone have a dynamic firewall rule handy that would stop this? I can't > seem to find the IP address it is coming from because my core router's IP's > are the ones showing up in the fire wall connections. Possibly be-ing > spoofed I presume. > > -Kurt Fankhauser > WAVELINC > P.O. Box 126 > Bucyrus, OH 44820 > www.wavelinc.com > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
