[Freeswitch-users] What kind of attack is this?
Mimiko
vbvbrj at gmail.com
Mon Oct 14 18:28:16 MSD 2013
Hello.
recently I see ddos on one interface and FS module callcenter is working
irregularly. tcpdump shows this:
17:17:42.410306 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 364)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
E..l.. at .0...2.%
MY.".....XW.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3646224729;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 360911671
Max-Forwards: 70
17:17:42.415504 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 365)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y,.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-1538287390;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3912185912
Max-Forwards: 70
17:17:42.420997 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 365)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y7.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3729326239;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 2188845586
Max-Forwards: 70
17:17:42.425886 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 365)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y3.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2208974380;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 4149361432
Max-Forwards: 70
17:17:42.431126 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 364)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
E..l.. at .0...2.%
MY.".....X..REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-725880732;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 1466795680
Max-Forwards: 70
17:17:42.436476 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 365)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y6.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3259665948;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3328716097
Max-Forwards: 70
17:17:42.441541 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto
UDP (17), length 364)
50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
E..l.. at .0...2.%
MY.".....XT.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2487219966;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 684380132
Max-Forwards: 70
In iptables I have this:
1637 597K DROP all -- * * 50.30.37.10
0.0.0.0/0
0 0 DROP all -- * * 62.75.212.215
0.0.0.0/0
So packets form that IP are not dropped. How is that? Does FS has a bag?
--
Mimiko desu.
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list