[Freeswitch-users] Been hacked - what's the best way to prevent sip scanner?

David Ponzone david.ponzone at ipeva.fr
Tue Oct 5 14:25:36 PDT 2010


Mario,

personnally, following a DoS REGISTER attack I had recently, I  
configured some rate-limiting on REGISTER attempts.
Here is the result, in "iptables-save" format:

-A INPUT -d YOUR_FS_IP -p udp -m udp --dport YOUR_FS_PORT -m string -- 
string "REGISTER" --algo kmp --from 20 --to 60 -j dos-filter-register- 
external
-A dos-filter-register-external -m hashlimit --hashlimit 5/sec -- 
hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-name REGISTER -- 
hashlimit-htable-size 24593 --hashlimit-htable-expire 90000 -j RETURN
-A dos-filter-register-external -j REJECT --reject-with icmp-admin- 
prohibited

This will ratelimit REGISTER packets coming to YOUR_FS_IP:YOUR_FS_PORT  
to 5 per second for each source IP.

PS: thanks to the experienced people on #freeswitch for the help  
provided to setup this filter.

David Ponzone  Direction Technique
email: david.ponzone at ipeva.fr
tel:      01 74 03 18 97
gsm:   06 66 98 76 34

Service Client IPeva
tel:      0811 46 26 26
www.ipeva.fr  -   www.ipeva-studio.com

Ce message et toutes les pièces jointes sont confidentiels et établis  
à l'intention exclusive de ses destinataires. Toute utilisation ou  
diffusion non autorisée est interdite. Tout message électronique est  
susceptible d'altération. IPeva décline toute responsabilité au  
titre de ce message s'il a été altéré, déformé ou falsifié. Si  
vous n'êtes pas destinataire de ce message, merci de le détruire  
immédiatement et d'avertir l'expéditeur.




Le 05/10/2010 à 20:55, Mario a écrit :

> After working 4 hours I found that FS was hosed due to someone from
> 208.109.87.234 sending tons of traffic to FS. I blocked the IP  
> address.
> Not only did it overload the connection but stopped FS from working,
> meaning no phones. This had not happened with the SPA9000. I listed on
> on a FS conference call discussing this issue. Is there someplace that
> has a list of things to do to prevent/reduce this? I did have ports,
> etc. blocked in the firewall. Thanks. Mario
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20101005/038d424b/attachment.html 


More information about the FreeSWITCH-users mailing list