[Freeswitch-users] Seem to be attacked, CPU rate 95%, stop working, no log output.

Oz Mortimer omortimer at gmail.com
Sat Jun 27 00:04:05 MSD 2015


Unless targeted, all attacks will start from an ip. There are endless combinations on domains. It's a data market; someone will be scanning subdomains for open ports and then sell that list on to someone that is interested in http/MySQL/sql/sip an so on. The http guys will do a reverse ip scan to find domains / subdomains. The sip/VoIP guys will try many tools, sipvicious being the most used, probably. One once in, the data will then "probably" be sold again to the real nasty guys. As Eric said, assume that they know everything before even turning your switch on. A high profile colo, will have several subnets, it wouldn't take long to scan every ip they host for services that are open.
Back to the question in hand though, I don't think this is a dos-I'd imagine if it was, his server would be struggling too (and his access)-not just fs.
Thanks
Oz



> On 26 Jun 2015, at 20:32, Lawrence Conroy <lconroy at insensate.co.uk> wrote:
> 
> In answer to a query on silently expiring fS from Eric Ni ...
> 
>> On 26 Jun 2015, at 19:56, Oz Mortimer <omortimer at gmail.com> wrote:
>> If it is a dos attack then as many have said, fail2ban is the way to go - though you should have that installed anyway.
>> The simplest way to check if you are under attack is to install wireshark and issue: tethereal port 5060.
> 
> Most of the attacks I see seem to do DNS queries rather than blindly pinging 5060 => assume that the irritating bots know what port you're publishing in DNS as in use by SIP.
> And, of course, tethereal/tcpdump/... port <the port on which your server listens>
> 
> all the best,
>  Lawrence
> 
> My permanent ipfw block list is now about 200-ish IP address ranges, all gleaned from fail2ban (don't leave home without it!)
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org



Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list