[Freeswitch-users] No failure messages in log during SIPVicious attack
Ken Rice
krice at freeswitch.org
Thu Mar 21 19:15:06 MSK 2013
On linux, the following is quite effective at mitigating most SIPVicious
activity
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string
"friendly-scanner" --algo bm
On 3/21/13 9:09 AM, "PhilQ" <philq at qsystemsengineering.com> wrote:
> What I did was very similar to the separate flood rule, I just grouped the
> regex in with the auth failure rule.
>
> FYI - the attack is still ongoing this morning. I have fail2ban set to ban
> IPs for 10 hours at a time and noticed in the log that the offending IP was
> re-banned after 2 seconds, (maxretry is set to a somewhat liberal 150
> attempts).
>
> For what it's worth, the attack is coming from 70.38.71.75, which is within
> an IP block owned by iWeb Technologies. I personally called and spoke with
> one of their support staff yesterday morning after having sent a message
> detailing the issue to their abuse contact email address the night before,
> since I thought they would be very interested in stopping someone from using
> their service to launch an attack. I was mistaken. The support guy on the
> phone was passing it along to his team who would "get right on it".
>
> Based on their apparent lack of ability to solve this problem after a day
> and a half, I'd give them a pass unless you're a script-kiddie looking to
> leverage a provider who's not minding the store to launch attacks against
> other computing resources. If that's the case, then that's the place.
> Adding their IP netblock to your firewall's blacklist might be a good idea.
>
> iWeb Technologies Inc. IWEB-BLK-05 (NET-70-38-0-0-1) 70.38.0.0 -
> 70.38.127.255
> iWeb Dedicated CL2 IWEB-CL-T160-01SH (NET-70-38-71-64-1) 70.38.71.64 -
> 70.38.71.95
>
> - Phil
>
>
>
> --
> View this message in context:
> http://freeswitch-users.2379917.n2.nabble.com/No-failure-messages-in-log-durin
> g-SIPVicious-attack-tp7588841p7588912.html
> Sent from the freeswitch-users mailing list archive at Nabble.com.
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
--
Ken
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
irc.freenode.net #freeswitch
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list