Ok I was just looking at my firewall rules. I have a rule that was instead of dropping blacklisted IPs it was tarpitting them. Do you think the tarpit may have been the problem? I changed that rule to drop instead and havnt had the problem since.
Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _____ From: [email protected] [mailto:[email protected]] On Behalf Of RickG Sent: Saturday, October 09, 2010 6:13 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Packet sniffer works better for this. On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos <[email protected]> wrote: Try using mikrotik´s TORCH on your wan interface to see exectly what´s going on. 2010/10/8 Kurt Fankhauser <[email protected]> I think its starting from outsite Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 _____ From: [email protected] [mailto:[email protected]] On Behalf Of Cameron Crum Sent: Friday, October 08, 2010 3:09 PM To: WISPA General List Subject: Re: [WISPA] port 5060 relaying attack? Can't you look at the inside of your network to see which ip is generating the traffic? O Ris it originating off your network? On Thu, Oct 7, 2010 at 11:17 PM, RickG <[email protected]> wrote: I had that same EXACT thing happen to me about a month ago. Sniffed it out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. -RickG On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser <[email protected]> wrote: I never have had this happen for 6 years until I got my new fiber line installed form Time Warner. Apparently a few times a day somone starts a relay of SIP connections (or so it appears) through my fiber connection. It maxes out the download and upload of my 30/30 meg fiber and has about 30k-50k packets-per-second coming in and going right back out at the same time it maxes out the RB1000 CPU usage. Most of the time the problem only last for a few minutes but earlier today it lasted for over an hour. I have attached a few screenshots from Winbox during the attack. The 98.102.246.252 address is the address that all my NAT customers are being SRCNAT'ed to. Does anyone have a dynamic firewall rule handy that would stop this? I can't seem to find the IP address it is coming from because my core router's IP's are the ones showing up in the fire wall connections. Possibly be-ing spoofed I presume. -Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 www.wavelinc.com ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Gustavo Santos Analista de Redes -Tecnólogo em Redes de Computadores -Pós Graduando em Redes de Computadores e Telecomunicações -Cisco Certified Network Associate -Juniper Certified Internet Associate - ER -Mikrotik Certified Consultant ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
-------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
