On 10-08-30 01:53 PM, J. Oquendo wrote: > Gordon Henderson wrote: > >> On Mon, 30 Aug 2010, J. Oquendo wrote: >> >> >> >> I also posted a very effective iptables script some weeks ago if you care >> to search the archives. It works and is extremely effective in blocking >> these types of attacks - however, it will not stop a broken sipvicious >> from continuing to send data to your server, and that's the issue I have >> at present. >> >> > Alright, so I'm slightly confused maybe I'm reading this wrong... > > Someone using an older version of sipvicious was blocked and the > "blocking" of the traffic still carried a load? > > If so then you should have logged into your router and simply sinkholed > him. There is nothing you can do against a flood whether or not its > sipvicious or any other program. It's the "golf ball through the water > hose" effect. > > Did you try: > > 1) sinkholing from your router > 2) Contacting your upstream to inform them of the DoS to see if they'd > sinkhole it > 3) Contact the UPSTREAM of the attacking host? > > +------------------------------------------+------------+------------+------------+-----------+-----------------+----------+ > | hostid | start_date | start_time | > stop_date | stop_time | attacker | attempts | > +------------------------------------------+------------+------------+------------+-----------+-----------------+----------+ > | e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 07:54:02 | > 2010-08-25 | 07:55:54 | 38.99.168.133 | 16022 | > > 8K attempts in a minute. There were times last month I'd see upwards of > 40-60k per minute WHILE I played around with some of these guys in a > separate Asterisk based honeypot I created. So my confusion: "it will > not stop a broken sipvicious from continuing to send data to your > server" Even CURRENT versions of sipvicious won't stop sending data just > because you firewalled them out. > > There is a pattern that many don't see unless your constantly monitoring > and watching what's going on with your logs/devices. What I see > firsthand is, there are "bruteforcers" and there are the "toll > fraudsters." Since this is a public list, I care not to discuss findings > for obvious reasons however, for those interested in that information, > feel free to send me a "non-free-mail" (meaning no Gmail, no Hotmail, > etc) message. If I get around to seeing I should share this information, > I'd gladly do so... Otherwise I won't disclose anything about honeypots, > analysis, traffic patterns, etc. Its already surprising I posted > attacker information on the forum. ;) I see all sorts of attackers, > attack vectors, numbers dialed, etc., from many of these attackers. > You'd be surprised how STUPID some are and how SMART others are. > > As for your comment though, its confusing to me because if you blocked > them and they're still overwhelming you, sounds like a) you need more > bandwidth because you're on a slow connection (I'm on a DS3) or b) > server is misconfigured. On Linux tc can be your friend > > > Joshua Stein has an great article on this topic:
http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ -- Jian Gao -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users