[Freeswitch-users] we are under attack

Madovsky infos at madovsky.org
Sun Aug 8 19:34:42 PDT 2010


fail2ban is works like a charm for that...


----- Original Message ----- 
From: "Seven Du" <dujinfang at gmail.com>
To: "freeswitch-users" <freeswitch-users at lists.freeswitch.org>
Sent: Sunday, August 08, 2010 9:24 PM
Subject: [Freeswitch-users] we are under attack


Hi,

We suffered an SIP attack from 67.23.236.75. It attempted to register
to our SIP server using bruce force.

We are running FS on a PC as our office PBX.  When all phone failed,
we noticed a high CPU load with 90%+ waiting or nice, and in the
meantime it used up memory and start swapping to disk.

It's a cheap PC with only 700MB memory, and we are running FS, DB,
Rails and other system on it. So it took me some time to check every
part. And it didn't help even I did a full server reboot. Finally I
turned on sip trace in FS and found thousands and millions of illegal
registers. And then I blocked the IP in iptables.

During the hard time, I noticed:

1) It stucks on one CPU even I have 2 core since sofia-sip is single 
threaded ?

2) CPU also waiting page swap when used up memory.

3) After I dropped all packets from that IP, FS still kept sending
register error sip messages for quite a long time before I restarted
FS.

Now looking to add http://wiki.freeswitch.org/wiki/Fail2ban, hope this helps 
.

Hope this helps if some one also suffered this.

7.

-- 
Blog: http://www.dujinfang.com
Proj: http://www.freeswitch.org.cn

_______________________________________________
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org 




More information about the FreeSWITCH-users mailing list