Over the last two weeks, we have had at least two "incidents" where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Z?rich -- http://www.spamchek.com/ - your spam is our business.
On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote:> Over the last two weeks, we have had at least two "incidents" where our > asterisk server got flooded (a hundred or more per second) by SIP > packets. Once from 114.31.50.10, second time from 173.212.200.146. We > became aware of the problem when bandwidth started suffering because > asterisk got very busy sending back replies or rejects (dunno which, I > didn't investigate it any further). > The immediate issues were dealt with by having the firewall drop those > packets, but I was wondering: > > 1) if anyone has seen the same problem, and > 2) if you've got some iptables rules for limiting inbound SIP by rate? > (or some such). > > > thanks > Per Jessen, Z?richWas it legitimate requests or a brute force attack? If it was a brute force attack have you considered using fail2ban? Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062
Am 28.10.2010 09:41, schrieb Per Jessen:> Over the last two weeks, we have had at least two "incidents" where our > asterisk server got flooded (a hundred or more per second) by SIP > packets. Once from 114.31.50.10, second time from 173.212.200.146. We > became aware of the problem when bandwidth started suffering because > asterisk got very busy sending back replies or rejects (dunno which, I > didn't investigate it any further). > The immediate issues were dealt with by having the firewall drop those > packets, but I was wondering: > > 1) if anyone has seen the same problem, and > 2) if you've got some iptables rules for limiting inbound SIP by rate? > (or some such). > > > thanks > Per Jessen, Z?rich >Hello Per, (iptables) rule #1: search the archives !!!! You will find nearly as many postings about that problem, as your server SIP packets received ... ;-) Norbert
Fail2Ban Regards ----- Original Message ----- From: "Per Jessen" <per at computer.org> To: <asterisk-users at lists.digium.com> Sent: Thursday, October 28, 2010 2:41 AM Subject: [asterisk-users] being bombarded with SIP packets> Over the last two weeks, we have had at least two "incidents" where our > asterisk server got flooded (a hundred or more per second) by SIP > packets. Once from 114.31.50.10, second time from 173.212.200.146. We > became aware of the problem when bandwidth started suffering because > asterisk got very busy sending back replies or rejects (dunno which, I > didn't investigate it any further). > The immediate issues were dealt with by having the firewall drop those > packets, but I was wondering: > > 1) if anyone has seen the same problem, and > 2) if you've got some iptables rules for limiting inbound SIP by rate? > (or some such). > > > thanks > Per Jessen, Z?rich > > -- > http://www.spamchek.com/ - your spam is our business. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Two incidents in two weeks is not bad. I get 2-4 a day. There must be many
here with even more than that. You should start considering some safety
practices like disabling long distance and international calls by default,
put a cap on long distance and international calls even for genuine users,
and who don't want to have caps, get their consent that they'll not
argue
with you if their accounts are hacked. Probably do prepaid billing at least
for long distance and international calls.
Other than that, fail2ban is a must have. Detailed installation instructions
you can find at voip-info.org website and also in my blogs at
ilovetovoip.com.
Regards,
Zeeshan A Zakaria
--
www.ilovetovoip.com
www.pbxforall.com (beta)
On 2010-10-28 3:48 AM, "Per Jessen" <per at computer.org> wrote:
Over the last two weeks, we have had at least two "incidents" where
our
asterisk server got flooded (a hundred or more per second) by SIP
packets. Once from 114.31.50.10, second time from 173.212.200.146. We
became aware of the problem when bandwidth started suffering because
asterisk got very busy sending back replies or rejects (dunno which, I
didn't investigate it any further).
The immediate issues were dealt with by having the firewall drop those
packets, but I was wondering:
1) if anyone has seen the same problem, and
2) if you've got some iptables rules for limiting inbound SIP by rate?
(or some such).
thanks
Per Jessen, Z?rich
--
http://www.spamchek.com/ - your spam is our business.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20101028/525cf5f1/attachment.htm
On 10/28/2010 3:41 AM, Per Jessen wrote:> 2) if you've got some iptables rules for limiting inbound SIP by rate?exactly what i was going through; here's how i reacted (throttles both SSH and SIP Register: First, I completely blocked all non-North American & Amazon EC2 networks - I won't be registering my sip phone in Nigeria nor from within EC2* any time soon. Then in my iptables startup script: iptables -N THROTTLE iptables -A INPUT -i eth0 -p udp --dport 5060 \ -m string --string "REGISTER sip:" --algo bm --to 65 -j THROTTLE iptables -A INPUT -i eth0 -p tcp --dport 22 \ -m state --state NEW -j THROTTLE iptables -A THROTTLE -m recent --set --name ABUSE iptables -A THROTTLE -m recent --update --seconds 86400 \ --hitcount 15 --name ABUSE -j LOG $LOGOPTS "$PRE"h15_ iptables -A THROTTLE -m recent --rcheck --seconds 86400 \ --hitcount 15 --name ABUSE -j DROP iptables -A THROTTLE -m recent --update --seconds 3600 \ --hitcount 12 --name ABUSE -j LOG $LOGOPTS "$PRE"h12_ iptables -A THROTTLE -m recent --rcheck --seconds 3600 \ --hitcount 12 --name ABUSE -j DROP iptables -A THROTTLE -m recent --update --seconds 60 \ --hitcount 6 --name ABUSE -j LOG $LOGOPTS "$PRE"h6_ iptables -A THROTTLE -m recent --rcheck --seconds 60 \ --hitcount 6 --name ABUSE -j DROP iptables -A INPUT -i eth0 -p udp --dport 5060 \ --sport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 \ --sport 1024:65535 -j ACCEPT Note that some SIP clients send more than one register per startup -- e.g.: Siphon on the iPhone registers without credentials first, asterisk sends back "unauthorized", then Siphone tries again with the configured username and password. For exactly how i'm using it: mkdir /usr/local/script cd /usr/local/script wget http://jeremy.kister.net/code/iptables/make-non-na.pl wget http://jeremy.kister.net/code/iptables/iptables.init mv iptables.init /etc/init.d/iptables # vi iptables # change the MYLAN to your lan network # change the RDPRANGE to the range defined in /etc/asterisk/rdp.conf ln -s /etc/init.d/iptables /etc/rc2.d/iptables ln -s /etc/init.d/iptables /etc/rc3.d/iptables crontab -e # put in something to run the make-non-na.pl run once per week /usr/local/script/make-non-na.pl /etc/init.d/iptables start * = if you use the Acrobits softphone, you'll need to let EC2 through for push notifications. Currently, I just put 184.72.221.84 in the siprtp section of the iptables script. -- Jeremy Kister http://jeremy.kister.net./