[Freeswitch-users] we are under attack

Ash ash at archerdrive.com
Mon Aug 9 01:52:47 PDT 2010 

I had a similar problem a couple of weeks ago.  I was hit from IP's in China and Finland.  In the end I created an iptables chain to just allow Australian IP's only as we only expect to see Australian IP's, I obtained the list from http://www.ipaddresslocation.org.  Then I create a log rule to log any drop connections to /var/log/messages and use nagios check_log to email me if there are any drops, this way I can be sure its only Australian IP's.  

I also added some rate limiting to ports 5060-5080.

To date we have not had anymore issues... Touch wood!.



On 09/08/2010, at 11:24 AM, Seven Du wrote:

> Hi,
> 
> We suffered an SIP attack from 67.23.236.75. It attempted to register
> to our SIP server using bruce force.
> 
> We are running FS on a PC as our office PBX.  When all phone failed,
> we noticed a high CPU load with 90%+ waiting or nice, and in the
> meantime it used up memory and start swapping to disk.
> 
> It's a cheap PC with only 700MB memory, and we are running FS, DB,
> Rails and other system on it. So it took me some time to check every
> part. And it didn't help even I did a full server reboot. Finally I
> turned on sip trace in FS and found thousands and millions of illegal
> registers. And then I blocked the IP in iptables.
> 
> During the hard time, I noticed:
> 
> 1) It stucks on one CPU even I have 2 core since sofia-sip is single threaded ?
> 
> 2) CPU also waiting page swap when used up memory.
> 
> 3) After I dropped all packets from that IP, FS still kept sending
> register error sip messages for quite a long time before I restarted
> FS.
> 
> Now looking to add http://wiki.freeswitch.org/wiki/Fail2ban, hope this helps .
> 
> Hope this helps if some one also suffered this.
> 
> 7.
> 
> -- 
> Blog: http://www.dujinfang.com
> Proj:  http://www.freeswitch.org.cn
> 
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

More information about the FreeSWITCH-users mailing list