[Freeswitch-users] SPIT attack and how to strike back
Peter P GMX
Prometheus001 at gmx.net
Fri Apr 22 00:29:29 MSD 2011
I started the same aproach with IPtables rules on port 5060 and 5080.
Nevertheless the Sipvisious attack generates quite significant traffic.
As - like in our case - all traffic above certain GBytes costs us a lot
of money, the decsribed trick was done in order to stop the Sipvicisous
scanner attacking us.
And this worked quite well.
Anyway, if you want to listen on port 5080 for Sipvicisous attacks feel
free to change the code of strike_back.rb:
from
$filter = Pcap::Filter.new('udp and dst port 5060', $network.capture)
to
$filter = Pcap::Filter.new('udp and dst port 5080', $network.capture)
Best regards
Peter
Kristian Kielhofner schrieb:
> On Thu, Apr 21, 2011 at 11:03 AM, mazilo <Nabble at slickdeals.endjunk.com> wrote:
>
>> Brian West wrote:
>>
>>> the little prick doesn't scan on 5080 yet as far as I know! :P
>>>
>> OK and that makes sense. When I telnet to both port 5060 and 5080 on my FS,
>> it responded. So, I reckon it is safe and better to include both --dport
>> 5080 and --dport 5060.
>>
>
> Keep in mind that sipvicious typically (always?) scans using UDP.
> FreeSWITCH supports UDP, TCP and TLS (on 5061 if enabled). Telnet is
> TCP only so it's not a valid test for exposure to UDP only scans using
> sipvicious.
>
> For effective blocking of these attacks block TCP and UDP transports
> to 5060 and 5080 if using the default config.
>
>
More information about the FreeSWITCH-users
mailing list