Gordon Henderson wrote: > On Mon, 30 Aug 2010, J. Oquendo wrote: > > > > I also posted a very effective iptables script some weeks ago if you care > to search the archives. It works and is extremely effective in blocking > these types of attacks - however, it will not stop a broken sipvicious > from continuing to send data to your server, and that's the issue I have > at present. >
Alright, so I'm slightly confused maybe I'm reading this wrong... Someone using an older version of sipvicious was blocked and the "blocking" of the traffic still carried a load? If so then you should have logged into your router and simply sinkholed him. There is nothing you can do against a flood whether or not its sipvicious or any other program. It's the "golf ball through the water hose" effect. Did you try: 1) sinkholing from your router 2) Contacting your upstream to inform them of the DoS to see if they'd sinkhole it 3) Contact the UPSTREAM of the attacking host? +------------------------------------------+------------+------------+------------+-----------+-----------------+----------+ | hostid | start_date | start_time | stop_date | stop_time | attacker | attempts | +------------------------------------------+------------+------------+------------+-----------+-----------------+----------+ | e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 07:54:02 | 2010-08-25 | 07:55:54 | 38.99.168.133 | 16022 | 8K attempts in a minute. There were times last month I'd see upwards of 40-60k per minute WHILE I played around with some of these guys in a separate Asterisk based honeypot I created. So my confusion: "it will not stop a broken sipvicious from continuing to send data to your server" Even CURRENT versions of sipvicious won't stop sending data just because you firewalled them out. There is a pattern that many don't see unless your constantly monitoring and watching what's going on with your logs/devices. What I see firsthand is, there are "bruteforcers" and there are the "toll fraudsters." Since this is a public list, I care not to discuss findings for obvious reasons however, for those interested in that information, feel free to send me a "non-free-mail" (meaning no Gmail, no Hotmail, etc) message. If I get around to seeing I should share this information, I'd gladly do so... Otherwise I won't disclose anything about honeypots, analysis, traffic patterns, etc. Its already surprising I posted attacker information on the forum. ;) I see all sorts of attackers, attack vectors, numbers dialed, etc., from many of these attackers. You'd be surprised how STUPID some are and how SMART others are. As for your comment though, its confusing to me because if you blocked them and they're still overwhelming you, sounds like a) you need more bandwidth because you're on a slow connection (I'm on a DS3) or b) server is misconfigured. On Linux tc can be your friend -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users