Interesting. But DDos (Distributed Denial of Service) is an attack intended to make a service completely unavailable. That is not what is being described above, and in any case, the above tactics would not stop a true DDoS. In fact, it would make you more vulnerable since all I have to do is attempt to dial thousands of times in parallel and you machine would die trying to play thousands of instances of tt-monkeys at the same time.
That being said, the attack above is brute force exploitation. In my experience, once they are blocked and realize they are detected, they move on to other targets. They don't switch IPs and try again since there is little chance of success. On Thu, Jul 30, 2015 at 11:28 AM, Bruce N <[email protected]> wrote: > John, > > I think Reza's main concern is really true DDoS directed at telephony > servers for the purposes of gaining access to routes (i.e. call North Korea > and the operator will share profits with you). > > By blocking IPs as they come in, you are still indicating you are a SIP > server and you are worried and want to block access so there comes more > tries from different IP sources which is what DDoS is at core. What Reza is > suggesting, let them think they got access and let them dial so they think > they are making money while they are not. This will stop DDoS *probably* > because they will think they got access so their DDoS will be directed > somewhere else. I think this work because those who run scripts run them > without secondary checks and there are easier targets to move onto than to > come back to Reza's servers and figure out why they failed. They will > recognize it as a sip server with no international routes maybe...hence > banning IPs is the opposite of what he suggests to do. > > -Bruce > > > On Thu, Jul 30, 2015 at 12:18 PM, John Lange <[email protected]> wrote: > >> I also found that approach very interesting. It's the opposite of what you >> would intuitively do, ie let everyone in, vs. block everyone who's >> unknown. >> >> As others have mentioned, the one concern I have is the load caused by >> playback of tt-monkeys (though I'm amused). Wouldn't it work equally well >> to simply do an Answer(), then Wait(100) without playback? >> >> And doesn't it also make sense to combine the above with a Fail2Ban keyed >> on the log of "BUFFOONS IP ADDRESS"? >> >> Regards, >> >> John >> > > -- John Lange www.johnlange.ca
