[asterisk-users] being bombarded with SIP packets
Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich Was it legitimate requests or a brute force attack? If it was a brute force attack have you considered using fail2ban? Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Am 28.10.2010 09:41, schrieb Per Jessen: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich Hello Per, (iptables) rule #1: search the archives You will find nearly as many postings about that problem, as your server SIP packets received ... ;-) Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Norbert Zawodsky wrote: Am 28.10.2010 09:41, schrieb Per Jessen: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich Hello Per, (iptables) rule #1: search the archives You will find nearly as many postings about that problem, as your server SIP packets received ... ;-) Thanks Norbert - I should take my own medicine, I'm usually the first to suggest searching the archives. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Ishfaq Malik wrote: On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich Was it legitimate requests or a brute force attack? If it was a brute force attack have you considered using fail2ban? It appears to be brute force, but I haven't bothered to investigate any further. fail2ban is at best a kludge IMHO, and I don't like anything (automatically or otherwise) modifying my firewall. Like Nortbert suggested, I'll check the archives to see what others have done. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Am 28.10.2010 12:14, schrieb Per Jessen: Ishfaq Malik wrote: On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich Was it legitimate requests or a brute force attack? If it was a brute force attack have you considered using fail2ban? It appears to be brute force, but I haven't bothered to investigate any further. fail2ban is at best a kludge IMHO, and I don't like anything (automatically or otherwise) modifying my firewall. Like Nortbert suggested, I'll check the archives to see what others have done. /Per Jessen, Zürich Per, (didn't want to be unfriendly to you !) As you say, you don't like anything to modify your firewal. My words ! Someone (don't remember who when) on this list showed me a very clever trick (=iptables rule) to drop the packets if too many of them arrive within a given period of time. Works really great ! Do not exatly remember how it was done (and I don't have access to that machine at the moment to have a look). I remeber something like first using iptables module string to inspect the packet if it contains the string REGISTER sip: and then use an iptables hash bucket with a limit of x/second If this limit is exeeded, send the packet to nirvana (= DROP, or if you like LOG DROP, or if you like LOG the 1st DROP all .) Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
On Thu, 28 Oct 2010, Norbert Zawodsky wrote: Am 28.10.2010 12:14, schrieb Per Jessen: Ishfaq Malik wrote: On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and This is not new - just Read The Fine Archives. Been going on for years. You're not the first, not the last. Google for sipvicious. 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich Was it legitimate requests or a brute force attack? If it was a brute force attack have you considered using fail2ban? It appears to be brute force, but I haven't bothered to investigate any further. fail2ban is at best a kludge IMHO, and I don't like anything (automatically or otherwise) modifying my firewall. Like Nortbert suggested, I'll check the archives to see what others have done. /Per Jessen, Zürich Per, (didn't want to be unfriendly to you !) As you say, you don't like anything to modify your firewal. My words ! Someone (don't remember who when) on this list showed me a very clever trick (=iptables rule) to drop the packets if too many of them arrive within a given period of time. Works really great ! Possibly me - I did post something - you might want to look at http://unicorn.drogon.net/firewall2 An issue I've found with this is that is that while it works to protect your asterisk box, it does take up a considerable amount of CPU/kernel time to process - so running on embedded hardware isn't a good idea. There are other things you need to do to - but do get the sipvicious source code - it has a crash program in it - however I'm finding that this works less and less now because the criminals who're trying to steal your VoIP minutes have upgraded - however the upgrade is a little nicer when you firewall it out. And do make sure you have alwaysauthreject=yes in the [general] section of sip.conf. Most of the time that will protect you as the criminals will do a single pass to try to identify accounts that are valid, then find none, then move on. Sometimes they don't though and use the 'force' option in sipvicious. Then youy're SOL Gordon-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Norbert Zawodsky wrote: Per, (didn't want to be unfriendly to you !) Not at all. As you say, you don't like anything to modify your firewal. My words! Someone (don't remember who when) on this list showed me a very clever trick (=iptables rule) to drop the packets if too many of them arrive within a given period of time. Works really great ! Yeah, I have a rule like that for SSH brute force attempts, and I did also find one for the same thing for SIP. Do not exatly remember how it was done (and I don't have access to that machine at the moment to have a look). I remeber something like first using iptables module string to inspect the packet if it contains the string REGISTER sip: and then use an iptables hash bucket with a limit of x/second This is what I found: iptables -N sip-flood iptables -A INPUT -p udp -m udp --dport 5060 -j sip-flood iptables -A INPUT -p tcp -m tcp --dport 5060:5061 --syn -j sip-flood iptables -A sip-flood -m recent --update --seconds 60 --hitcount 20 -j LOG --log-prefix SIP bruteforce attempt: iptables -A sip-flood -m recent --rcheck --seconds 60 --hitcount 20 -j DROP iptables -A sip-flood -m recent --set -j ACCEPT /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Gordon Henderson wrote: On Thu, 28 Oct 2010, Norbert Zawodsky wrote: Am 28.10.2010 12:14, schrieb Per Jessen: Ishfaq Malik wrote: On Thu, 2010-10-28 at 09:41 +0200, Per Jessen wrote: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and This is not new - just Read The Fine Archives. Been going on for years. You're not the first, not the last. Well, to me it only started 3 days ago. Point taken though, I should have googled first. My main issue was not the brute force attempt in itself, but the increased latency it caused. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Fail2Ban Regards - Original Message - From: Per Jessen p...@computer.org To: asterisk-users@lists.digium.com Sent: Thursday, October 28, 2010 2:41 AM Subject: [asterisk-users] being bombarded with SIP packets Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
Two incidents in two weeks is not bad. I get 2-4 a day. There must be many here with even more than that. You should start considering some safety practices like disabling long distance and international calls by default, put a cap on long distance and international calls even for genuine users, and who don't want to have caps, get their consent that they'll not argue with you if their accounts are hacked. Probably do prepaid billing at least for long distance and international calls. Other than that, fail2ban is a must have. Detailed installation instructions you can find at voip-info.org website and also in my blogs at ilovetovoip.com. Regards, Zeeshan A Zakaria -- www.ilovetovoip.com www.pbxforall.com (beta) On 2010-10-28 3:48 AM, Per Jessen p...@computer.org wrote: Over the last two weeks, we have had at least two incidents where our asterisk server got flooded (a hundred or more per second) by SIP packets. Once from 114.31.50.10, second time from 173.212.200.146. We became aware of the problem when bandwidth started suffering because asterisk got very busy sending back replies or rejects (dunno which, I didn't investigate it any further). The immediate issues were dealt with by having the firewall drop those packets, but I was wondering: 1) if anyone has seen the same problem, and 2) if you've got some iptables rules for limiting inbound SIP by rate? (or some such). thanks Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] being bombarded with SIP packets
On 10/28/2010 3:41 AM, Per Jessen wrote: 2) if you've got some iptables rules for limiting inbound SIP by rate? exactly what i was going through; here's how i reacted (throttles both SSH and SIP Register: First, I completely blocked all non-North American Amazon EC2 networks - I won't be registering my sip phone in Nigeria nor from within EC2* any time soon. Then in my iptables startup script: iptables -N THROTTLE iptables -A INPUT -i eth0 -p udp --dport 5060 \ -m string --string REGISTER sip: --algo bm --to 65 -j THROTTLE iptables -A INPUT -i eth0 -p tcp --dport 22 \ -m state --state NEW -j THROTTLE iptables -A THROTTLE -m recent --set --name ABUSE iptables -A THROTTLE -m recent --update --seconds 86400 \ --hitcount 15 --name ABUSE -j LOG $LOGOPTS $PREh15_ iptables -A THROTTLE -m recent --rcheck --seconds 86400 \ --hitcount 15 --name ABUSE -j DROP iptables -A THROTTLE -m recent --update --seconds 3600 \ --hitcount 12 --name ABUSE -j LOG $LOGOPTS $PREh12_ iptables -A THROTTLE -m recent --rcheck --seconds 3600 \ --hitcount 12 --name ABUSE -j DROP iptables -A THROTTLE -m recent --update --seconds 60\ --hitcount 6 --name ABUSE -j LOG $LOGOPTS $PREh6_ iptables -A THROTTLE -m recent --rcheck --seconds 60\ --hitcount 6 --name ABUSE -j DROP iptables -A INPUT -i eth0 -p udp --dport 5060 \ --sport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 \ --sport 1024:65535 -j ACCEPT Note that some SIP clients send more than one register per startup -- e.g.: Siphon on the iPhone registers without credentials first, asterisk sends back unauthorized, then Siphone tries again with the configured username and password. For exactly how i'm using it: mkdir /usr/local/script cd /usr/local/script wget http://jeremy.kister.net/code/iptables/make-non-na.pl wget http://jeremy.kister.net/code/iptables/iptables.init mv iptables.init /etc/init.d/iptables # vi iptables # change the MYLAN to your lan network # change the RDPRANGE to the range defined in /etc/asterisk/rdp.conf ln -s /etc/init.d/iptables /etc/rc2.d/iptables ln -s /etc/init.d/iptables /etc/rc3.d/iptables crontab -e # put in something to run the make-non-na.pl run once per week /usr/local/script/make-non-na.pl /etc/init.d/iptables start * = if you use the Acrobits softphone, you'll need to let EC2 through for push notifications. Currently, I just put 184.72.221.84 in the siprtp section of the iptables script. -- Jeremy Kister http://jeremy.kister.net./ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users