[Freeswitch-users] No failure messages in log during SIPVicious attack

[PhilQ]

What I did was very similar to the separate flood rule, I just grouped the
regex in with the auth failure rule.

FYI - the attack is still ongoing this morning.  I have fail2ban set to ban
IPs for 10 hours at a time and noticed in the log that the offending IP was
re-banned after 2 seconds, (maxretry is set to a somewhat liberal 150
attempts).

For what it's worth, the attack is coming from 70.38.71.75, which is within
an IP block owned by iWeb Technologies.  I personally called and spoke with
one of their support staff yesterday morning after having sent a message
detailing the issue to their abuse contact email address the night before,
since I thought they would be very interested in stopping someone from using
their service to launch an attack.  I was mistaken.  The support guy on the
phone was passing it along to his team who would "get right on it".

Based on their apparent lack of ability to solve this problem after a day
and a half, I'd give them a pass unless you're a script-kiddie looking to
leverage a provider who's not minding the store to launch attacks against
other computing resources.  If that's the case, then that's the place. 
Adding their IP netblock to your firewall's blacklist might be a good idea.

iWeb Technologies Inc. IWEB-BLK-05 (NET-70-38-0-0-1) 70.38.0.0 -
70.38.127.255
iWeb Dedicated CL2 IWEB-CL-T160-01SH (NET-70-38-71-64-1) 70.38.71.64 -
70.38.71.95

- Phil



--
View this message in context: http://freeswitch-users.2379917.n2.nabble.com/No-failure-messages-in-log-during-SIPVicious-attack-tp7588841p7588912.html
Sent from the freeswitch-users mailing list archive at Nabble.com.