I am being sneaky sneaky sir =) You can probably just drop all 5060/tcp input forever as I seriously doubt your Mikrotik is a SIP gateway.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Oct 11, 2010 at 4:03 PM, RickG <rgunder...@gmail.com> wrote: > Was hoping you'd chime in Josh :) > > > On Mon, Oct 11, 2010 at 10:37 AM, Josh Luthman < > j...@imaginenetworksllc.com> wrote: > >> "...delays incoming connections for as long as possible." >> >> http://en.wikipedia.org/wiki/Tarpit_%28networking%29 >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> >> >> >> On Mon, Oct 11, 2010 at 10:35 AM, Kurt Fankhauser <k...@wavelinc.com>wrote: >> >>> Ok I was just looking at my firewall rules. I have a rule that was >>> instead of “dropping” blacklisted IP’s it was “tarpitting” them. Do you >>> think the tarpit may have been the problem? I changed that rule to drop >>> instead and havn’t had the problem since. >>> >>> >>> >>> Kurt Fankhauser >>> >>> WAVELINC >>> >>> P.O. Box 126 >>> >>> Bucyrus, OH 44820 >>> >>> 419-562-6405 >>> >>> >>> >>> >>> ------------------------------ >>> >>> *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On >>> Behalf Of *RickG >>> *Sent:* Saturday, October 09, 2010 6:13 PM >>> >>> *To:* WISPA General List >>> *Subject:* Re: [WISPA] port 5060 relaying attack? >>> >>> >>> >>> Packet sniffer works better for this. >>> >>> On Sat, Oct 9, 2010 at 5:45 PM, Gustavo Santos <gustkil...@gmail.com> >>> wrote: >>> >>> Try using mikrotik´s TORCH on your wan interface to see exectly what´s >>> going on. >>> >>> 2010/10/8 Kurt Fankhauser <k...@wavelinc.com> >>> >>> I think its starting from outsite >>> >>> >>> >>> Kurt Fankhauser >>> >>> WAVELINC >>> >>> P.O. Box 126 >>> >>> Bucyrus, OH 44820 >>> >>> 419-562-6405 >>> >>> >>> >>> >>> ------------------------------ >>> >>> *From:* wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] *On >>> Behalf Of *Cameron Crum >>> *Sent:* Friday, October 08, 2010 3:09 PM >>> *To:* WISPA General List >>> *Subject:* Re: [WISPA] port 5060 relaying attack? >>> >>> >>> >>> Can't you look at the inside of your network to see which ip is >>> generating the traffic? O Ris it originating off your network? >>> >>> On Thu, Oct 7, 2010 at 11:17 PM, RickG <rgunder...@gmail.com> wrote: >>> >>> I had that same EXACT thing happen to me about a month ago. Sniffed it >>> out (with the help from the list) and blocked the ip. Yes, I'm on TW fiber. >>> -RickG >>> >>> On Thu, Oct 7, 2010 at 4:22 PM, Kurt Fankhauser <k...@wavelinc.com> >>> wrote: >>> >>> I never have had this happen for 6 years until I got my new fiber line >>> installed form Time Warner. Apparently a few times a day somone starts a >>> relay of SIP connections (or so it appears) through my fiber connection. It >>> maxes out the download and upload of my 30/30 meg fiber and has about >>> 30k-50k packets-per-second coming in and going right back out at the same >>> time it maxes out the RB1000 CPU usage. Most of the time the problem only >>> last for a few minutes but earlier today it lasted for over an hour. I have >>> attached a few screenshots from Winbox during the attack. The 98.102.246.252 >>> address is the address that all my NAT customers are being SRCNAT'ed to. >>> Does anyone have a dynamic firewall rule handy that would stop this? I can't >>> seem to find the IP address it is coming from because my core router's IP's >>> are the ones showing up in the fire wall connections. Possibly be-ing >>> spoofed I presume. >>> >>> >>> >>> -Kurt Fankhauser >>> >>> WAVELINC >>> >>> P.O. Box 126 >>> >>> Bucyrus, OH 44820 >>> >>> www.wavelinc.com >>> >>> >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: wireless@wispa.org >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: wireless@wispa.org >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >>> >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: wireless@wispa.org >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >>> >>> >>> >>> -- >>> Gustavo Santos >>> Analista de Redes >>> -Tecnólogo em Redes de Computadores >>> -Pós Graduando em Redes de Computadores e Telecomunicações >>> -Cisco Certified Network Associate >>> -Juniper Certified Internet Associate - ER >>> -Mikrotik Certified Consultant >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: wireless@wispa.org >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >>> >>> >>> >>> >>> >>> -------------------------------------------------------------------------------- >>> WISPA Wants You! Join today! >>> http://signup.wispa.org/ >>> >>> -------------------------------------------------------------------------------- >>> >>> WISPA Wireless List: wireless@wispa.org >>> >>> Subscribe/Unsubscribe: >>> http://lists.wispa.org/mailman/listinfo/wireless >>> >>> Archives: http://lists.wispa.org/pipermail/wireless/ >>> >> >> >> >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ >
-------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/