[Freeswitch-users] we are under attack

[Hristo Benev]

 If it is just one IP it is not that bad...

First block it in iptables, then file a complain with your ISP(they will help you block at entry point) and his ISP.

Fail2 ban works well with brute force...(or at least forces them to extent the attack)



 >-------- Оригинално писмо --------
 >От:  Seven Du 
 >Относно: [Freeswitch-users] we are under attack
 >До: freeswitch-users 
 >Изпратено на: Понеделник, 2010, Август 9 04:24:20 EEST

 >Hi,
 >
 >We suffered an SIP attack from 67.23.236.75. It attempted to register
 >to our SIP server using bruce force.
 >
 >We are running FS on a PC as our office PBX.  When all phone failed,
 >we noticed a high CPU load with 90%+ waiting or nice, and in the
 >meantime it used up memory and start swapping to disk.
 >
 >It's a cheap PC with only 700MB memory, and we are running FS, DB,
 >Rails and other system on it. So it took me some time to check every
 >part. And it didn't help even I did a full server reboot. Finally I
 >turned on sip trace in FS and found thousands and millions of illegal
 >registers. And then I blocked the IP in iptables.
 >
 >During the hard time, I noticed:
 >
 >1) It stucks on one CPU even I have 2 core since sofia-sip is single threaded ?
 >
 >2) CPU also waiting page swap when used up memory.
 >
 >3) After I dropped all packets from that IP, FS still kept sending
 >register error sip messages for quite a long time before I restarted
 >FS.
 >
 >Now looking to add http://wiki.freeswitch.org/wiki/Fail2ban, hope this helps .
 >
 >Hope this helps if some one also suffered this.
 >
 >7.
 >
 >-- 
 >Blog: http://www.dujinfang.com
 >Proj:  http://www.freeswitch.org.cn
 >
 >_______________________________________________
 >FreeSWITCH-users mailing list
 >FreeSWITCH-users at lists.freeswitch.org
 >http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
 >UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
 >http://www.freeswitch.org
 >