I'm currently receiving over 200 SIP REGISTER requests per second from a machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. This has continued for several days, and abuse at staff.aruba.it are unresponsive. I've had a couple of similar incidents recently, the others originating from uk2.net. I have an ADSL connection and responding to these REGISTERS was consuming all my outbound bandwidth. I am now dropping the packets but still some 600kbps of inbound bandwidth is consumed by this. The packets look something like this: REGISTER sip:62.3.200.113 SIP/2.0 Via: SIP/2.0/UDP 62.149.239.97:5086;branch=z9hG4bK-2570753370;rport Content-Length: 0 From: "test" <sip:test at 62.3.200.113> Accept: application/sdp User-Agent: friendly-scanner To: "test" <sip:test at 62.3.200.113> Contact: sip:123 at 1.1.1.1 CSeq: 1 REGISTER Call-ID: 3778139552 Max-Forwards: 70 I'm guessing the 'friendly-scanner' bit is sarcastic, as there is little that is friendly about this behaviour. Has anyone else experienced this? Is this intended as a DOS attack, or is it a dictionary attack? Or something else? What is the best strategy for dealing with it? For now I have started rate limiting SIP connections to Asterisk, but what is a reasonable rate for each host to be allowed? This is a small SOHO installation. Thanks Chris
On Apr 12, 2010, at 4:50 PM, Chris Hastie wrote:> I'm currently receiving over 200 SIP REGISTER requests per second from a > machine apparently in Italy, host97-239-149-62.serverdedicati.aruba.it. > This has continued for several days, and abuse at staff.aruba.it are > unresponsive. I've had a couple of similar incidents recently, the > others originating from uk2.net. > > ...snip... > Has anyone else experienced this? Is this intended as a DOS attack, or > is it a dictionary attack? Or something else? What is the best strategy > for dealing with it? > > For now I have started rate limiting SIP connections to Asterisk, but > what is a reasonable rate for each host to be allowed? This is a small > SOHO installation. > > Thanks > > ChrisThis is a pretty decent day for this. There's been discussion on the EC2 attack in progress (http://bit.ly/ec2sipattack) as well as decent suggestions around town. Some people like a fail2ban approach. Others are using IP Tables manually or contacting their upstream to block the traffic. And an interesting redirect solution was posted by Joshua Stein: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ ---fred http://qxork.com