[Freeswitch-users] we are under attack
foxb at abv.bg
Mon Aug 9 03:42:27 PDT 2010
If it is just one IP it is not that bad...
First block it in iptables, then file a complain with your ISP(they will help you block at entry point) and his ISP.
Fail2 ban works well with brute force...(or at least forces them to extent the attack)
>-------- Оригинално писмо --------
>От: Seven Du
>Относно: [Freeswitch-users] we are under attack
>Изпратено на: Понеделник, 2010, Август 9 04:24:20 EEST
>We suffered an SIP attack from 18.104.22.168. It attempted to register
>to our SIP server using bruce force.
>We are running FS on a PC as our office PBX. When all phone failed,
>we noticed a high CPU load with 90%+ waiting or nice, and in the
>meantime it used up memory and start swapping to disk.
>It's a cheap PC with only 700MB memory, and we are running FS, DB,
>Rails and other system on it. So it took me some time to check every
>part. And it didn't help even I did a full server reboot. Finally I
>turned on sip trace in FS and found thousands and millions of illegal
>registers. And then I blocked the IP in iptables.
>During the hard time, I noticed:
>1) It stucks on one CPU even I have 2 core since sofia-sip is single threaded ?
>2) CPU also waiting page swap when used up memory.
>3) After I dropped all packets from that IP, FS still kept sending
>register error sip messages for quite a long time before I restarted
>Now looking to add http://wiki.freeswitch.org/wiki/Fail2ban, hope this helps .
>Hope this helps if some one also suffered this.
>FreeSWITCH-users mailing list
>FreeSWITCH-users at lists.freeswitch.org
More information about the FreeSWITCH-users