John, I think Reza's main concern is really true DDoS directed at telephony servers for the purposes of gaining access to routes (i.e. call North Korea and the operator will share profits with you).
By blocking IPs as they come in, you are still indicating you are a SIP server and you are worried and want to block access so there comes more tries from different IP sources which is what DDoS is at core. What Reza is suggesting, let them think they got access and let them dial so they think they are making money while they are not. This will stop DDoS *probably* because they will think they got access so their DDoS will be directed somewhere else. I think this work because those who run scripts run them without secondary checks and there are easier targets to move onto than to come back to Reza's servers and figure out why they failed. They will recognize it as a sip server with no international routes maybe...hence banning IPs is the opposite of what he suggests to do. -Bruce On Thu, Jul 30, 2015 at 12:18 PM, John Lange <[email protected]> wrote: > I also found that approach very interesting. It's the opposite of what you > would intuitively do, ie let everyone in, vs. block everyone who's unknown. > > As others have mentioned, the one concern I have is the load caused by > playback of tt-monkeys (though I'm amused). Wouldn't it work equally well > to simply do an Answer(), then Wait(100) without playback? > > And doesn't it also make sense to combine the above with a Fail2Ban keyed > on the log of "BUFFOONS IP ADDRESS"? > > Regards, > > John >
