check out Fail2Ban and turn on the correct sofia settings to enable fail2ban compatible logging.<div><br></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><a href="http://wiki.freeswitch.org/wiki/Fail2ban">http://wiki.freeswitch.org/wiki/Fail2ban</a></div>

<div>that will help protect you.</div><div><br></div><div>I think the plan is not to bloat freeswitch with a million features, when they can be built around freeswitch..</div><div>also its better to do the banning at iptables that way the FS process dosnt even see the traffic.</div>

<div><br></div><div>in my situation we take fail2ban a step further and we add a route to our BGP blackhole setup for repeat offenders.</div><div>that way it dosnt even traverse the network.</div><div><br></div><div>its just more flexible this way, then you can apply your own logic easily.</div>

<div><br></div><div>Jay</div><div><br><div class="gmail_quote">On Wed, Mar 30, 2011 at 10:44 AM, Oleg Khovayko <span dir="ltr">&lt;<a href="mailto:khovayko@gmail.com">khovayko@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

Hi,<br>
<br>
Couple months ago I have repotred strange behaviour of FreeSWITCH: 100%<br>
CPU usage,<br>
and leak memory.<br>
<br>
Today I catch this situation, and viewed logs.<br>
found something like ping-pong with SIP-port attack:<br>
<br>
FS log:<br>
<br>
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.754314 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.938408 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.957793 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.981472 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:42.999635 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.028769 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.048709 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.064379 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.080898 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.099860 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.118179 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.133097 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.149791 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.172722 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.187540 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.203845 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.219207 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.233950 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.250684 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.267531 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
2011-03-29 20:12:43.283970 [WARNING] sofia_reg.c:1246 SIP auth challenge<br>
(REGISTER) on sofia profile &#39;internal&#39; for [<a href="mailto:4@173.79.240.220">4@173.79.240.220</a>] from ip<br>
118.175.22.75<br>
<br>
TCPDUMP output.<br>
<br>
<br>
20:19:11.863940 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:19:11.914740 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 330<br>
20:19:11.917521 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:19:11.931544 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 330<br>
20:19:11.934351 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:19:11.946799 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:19:11.949370 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 330<br>
20:19:11.954355 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:19:11.957996 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
20:19:11.958972 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 604<br>
20:19:11.959998 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
20:19:11.961019 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
20:19:11.961814 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 329<br>
20:19:11.962213 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
20:19:11.963141 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
20:19:11.964106 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 604<br>
20:19:11.965059 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 604<br>
20:19:11.966066 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 604<br>
20:19:11.967018 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 604<br>
20:19:11.967965 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
20:19:11.968930 IP deskpro.khovayko.com.sip &gt; 118.175.22.75.5239: SIP,<br>
length: 605<br>
<br>
Also, I see, attack continues, when I stopped FreeSWITCH:<br>
<br>
20:21:46.045995 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:21:46.046088 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.051280 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:21:46.051378 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.059059 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:21:46.059154 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.061089 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 330<br>
20:21:46.061187 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.065982 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:21:46.066076 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.073622 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 330<br>
20:21:46.073719 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.076260 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:21:46.076352 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.083160 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 331<br>
20:21:46.083256 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
20:21:46.090586 IP 118.175.22.75.5239 &gt; deskpro.khovayko.com.sip: SIP,<br>
length: 330<br>
20:21:46.090684 IP <a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> &gt; <a href="http://118.175.22.75" target="_blank">118.175.22.75</a>: ICMP<br>
<a href="http://deskpro.khovayko.com" target="_blank">deskpro.khovayko.com</a> udp port sip unreachable, length 36<br>
<br>
So, you can see, this is not wrong FS-activity, this is just attack,<br>
attempt to hack in by method &quot;brute force and ignorance&quot;.<br>
<br>
I think, easiest way to protect FS - to dynamically ban IP, from which<br>
comes attack.<br>
<br>
Or, maybe more smooth policy - to count attempts of unsuccessful login<br>
from some IP, and after threshold - set timewait for this IP.<br>
<br>
<br>
See following sample of pseudocode for demo this idea:<br>
<br>
char bantable[1&lt;&lt;12]; // 4K hashtable for ban counter.<br>
<br>
int ban_index = hash(user_ip_address) &amp; (sizeof(bantable) - 1);<br>
<br>
if(user_login_success())<br>
bantable[ban_index] = 0; // IP is valid<br>
else {<br>
   if(bantable[ban_index] &lt; 0)<br>
     sleep(1);<br>
   else<br>
bantable[ban_index]++;<br>
}<br>
<br>
Idea following - if real user comes in, and will be unlucky (hash as<br>
same as attacker), he just get 1s delay.<br>
But, for hacker, it will decrease attack dataflow, and slowing him...<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
FreeSWITCH-dev mailing list<br>
<a href="mailto:FreeSWITCH-dev@lists.freeswitch.org">FreeSWITCH-dev@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-dev" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-dev</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Sincerely<br><br>Jay<br>
</div>