[Freeswitch-users] DOS attack

Brian May brian at microcomaustralia.com.au
Thu Mar 31 02:39:45 MSD 2011


Hello,

This morning, I got the following message:

[241824.279299] Out of memory: kill process 20570 (freeswitch) score
17388 or a child

Since then I have plenty of memory.

Since then I have noticed that I am receiving almost 400 packets a
second along the lines of:

2011-03-31 06:57:25.541284 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[224586792 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.543256 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[3728015026 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.547261 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[224586792 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.559259 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[3728015026 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.564311 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[224586792 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.574287 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[3728015026 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.578259 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[3728015026 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.587276 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[224586792 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.593266 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[3728015026 at 59.167.180.194] from ip 95.154.248.17
2011-03-31 06:57:25.595256 [WARNING] sofia_reg.c:1246 SIP auth
challenge (REGISTER) on sofia profile 'internal' for
[3728015026 at 59.167.180.194] from ip 95.154.248.17

These packets continue even though I stoped freeswitch:

09:38:30.132408 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362
09:38:30.132915 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366
09:38:30.137077 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362
09:38:30.138790 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 364
09:38:30.142020 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 361
09:38:30.144696 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366
09:38:30.147442 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362
09:38:30.150147 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366
09:38:30.153407 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 362
09:38:30.155827 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 367
09:38:30.159236 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 363
09:38:30.161730 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366
09:38:30.165435 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length: 363
09:38:30.168153 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length: 366

I don't recognise this IP address - 95.154.248.17.

Could this be related to the out of memory issue? If so, does this
indicate some sort of memory leak inside freeswitch? Or is this normal
expected behaviour when receiving so many connection attempts?

Thanks
-- 
Brian May <brian at microcomaustralia.com.au>



More information about the FreeSWITCH-users mailing list