[Freeswitch-users] DOS attack

Michael Collins msc at freeswitch.org
Thu Mar 31 02:46:29 MSD 2011 

Sounds like the friend-scanner. Check this out:
http://wiki.freeswitch.org/wiki/FS_weekly_2011_02_23#Featured_Presentation

Of course, you should look into those packets to see what, exactly they are.
Also, if you can block that IP address outright on your firewall that would
be good, too.

-MC

On Wed, Mar 30, 2011 at 3:39 PM, Brian May
<brian at microcomaustralia.com.au>wrote:

> Hello,
>
> This morning, I got the following message:
>
> [241824.279299] Out of memory: kill process 20570 (freeswitch) score
> 17388 or a child
>
> Since then I have plenty of memory.
>
> Since then I have noticed that I am receiving almost 400 packets a
> second along the lines of:
>
> 2011-03-31 06:57:25.541284 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [224586792 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.543256 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [3728015026 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.547261 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [224586792 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.559259 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [3728015026 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.564311 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [224586792 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.574287 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [3728015026 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.578259 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [3728015026 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.587276 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [224586792 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.593266 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [3728015026 at 59.167.180.194] from ip 95.154.248.17
> 2011-03-31 06:57:25.595256 [WARNING] sofia_reg.c:1246 SIP auth
> challenge (REGISTER) on sofia profile 'internal' for
> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>
> These packets continue even though I stoped freeswitch:
>
> 09:38:30.132408 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 362
> 09:38:30.132915 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 366
> 09:38:30.137077 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 362
> 09:38:30.138790 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 364
> 09:38:30.142020 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 361
> 09:38:30.144696 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 366
> 09:38:30.147442 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 362
> 09:38:30.150147 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 366
> 09:38:30.153407 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 362
> 09:38:30.155827 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 367
> 09:38:30.159236 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 363
> 09:38:30.161730 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 366
> 09:38:30.165435 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
> 363
> 09:38:30.168153 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
> 366
>
> I don't recognise this IP address - 95.154.248.17.
>
> Could this be related to the out of memory issue? If so, does this
> indicate some sort of memory leak inside freeswitch? Or is this normal
> expected behaviour when receiving so many connection attempts?
>
> Thanks
> --
> Brian May <brian at microcomaustralia.com.au>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110330/b02dfd8b/attachment-0001.html

More information about the FreeSWITCH-users mailing list