[Freeswitch-users] we are under attack

Seven Du dujinfang at gmail.com
Sun Aug 8 18:24:20 PDT 2010


Hi,

We suffered an SIP attack from 67.23.236.75. It attempted to register
to our SIP server using bruce force.

We are running FS on a PC as our office PBX.  When all phone failed,
we noticed a high CPU load with 90%+ waiting or nice, and in the
meantime it used up memory and start swapping to disk.

It's a cheap PC with only 700MB memory, and we are running FS, DB,
Rails and other system on it. So it took me some time to check every
part. And it didn't help even I did a full server reboot. Finally I
turned on sip trace in FS and found thousands and millions of illegal
registers. And then I blocked the IP in iptables.

During the hard time, I noticed:

1) It stucks on one CPU even I have 2 core since sofia-sip is single threaded ?

2) CPU also waiting page swap when used up memory.

3) After I dropped all packets from that IP, FS still kept sending
register error sip messages for quite a long time before I restarted
FS.

Now looking to add http://wiki.freeswitch.org/wiki/Fail2ban, hope this helps .

Hope this helps if some one also suffered this.

7.

-- 
Blog: http://www.dujinfang.com
Proj:  http://www.freeswitch.org.cn



More information about the FreeSWITCH-users mailing list