Patrick
2011-Mar-17 05:37 UTC
[asterisk-users] SIP registration DoS but no logs in messages
Dear mailing list, I've a Asterisk 1.4.21.2~dfsg-3+lenny1 package installed on my debian and I've a strange behavior. After some days running normally, my asterisk is under heavy attack, however, there is nothing logged in the console (logging from debug -> error) or file (level from notice ->error) I can see that there is also a peak on the network traffic. My first guess is that I'm suffering from a SIP registration DoS, but, as there is nothing logged about a "not matching peer" or "incorrect password" logged to file, my fail2ban script is not blocking the attacker. I normally restarts Asterisk and logs are restarting to log attacks, but, today, it's not working FYI, I've checked and my loggers are not muted and the logging level is at least "notice". I've also reloaded my loggers but no effect. Do you already have experienced such situation ? Is there any known issue with logging module stopping while Asterisk is DoS'ed ? Best regards, Patrick
Paul Hayes
2011-Mar-17 14:16 UTC
[asterisk-users] SIP registration DoS but no logs in messages
On 17/03/11 05:37, Patrick wrote:> Dear mailing list, > > I've a Asterisk 1.4.21.2~dfsg-3+lenny1 package installed on my debian > and I've a strange behavior. > > After some days running normally, my asterisk is under heavy attack, > however, there is nothing logged in the console (logging from debug -> > error) or file (level from notice ->error) > I can see that there is also a peak on the network traffic. > > My first guess is that I'm suffering from a SIP registration DoS, but, > as there is nothing logged about a "not matching peer" or "incorrect > password" logged to file, my fail2ban script is not blocking the > attacker. > > I normally restarts Asterisk and logs are restarting to log attacks, > but, today, it's not working > > FYI, I've checked and my loggers are not muted and the logging level > is at least "notice". I've also reloaded my loggers but no effect. > > Do you already have experienced such situation ? Is there any known > issue with logging module stopping while Asterisk is DoS'ed ? > > Best regards, > Patrick >It's possible that fail2ban has already blocked the incoming registration attempts but the attacker is still blindly sending packets to you. Often a sign the attacker is using an old version of sip-vicious, you can often stop such things by using the "svcrash.py" script they now provide. Check your iptables logs. cheers, Paul.