[Freeswitch-users] how to block requests with From Ip equal to server interface IP?

Mon Dec 18 19:07:41 UTC 2017

Hello,

We are going to have Brian West answer your question on the ClueCon weekly
call this week in our community corner. If you would like to join us live
on Wednesday at noon central time you can dial 888 at
https://conference.freeswitch.org/vc/ or watch it live on Youtube here:
https://youtu.be/F4OkiQ_okQI

Please let me know if you have any other questions.

[image: freeswitch logo giant.jpg] <https://freeswitch.com>

Kathleen King | Public Relations / Administrative Assistant

FreeSWITCH Solutions | 17345 Civic Drive #2531 Brookfield, WI 53045

Email: Kathleen at freeswitch.com

Mobile: 703-859-3757

Website: https://www.FreeSWITCH.com <https://www.freeswitch.com>

[image: color-facebook-96.png] <https://www.facebook.com/freeswitch/> [image:
color-twitter-96.png]
<https://twitter.com/freeswitch?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>

On Fri, Dec 15, 2017 at 9:32 AM, Miguel Jesús López Valverde <
mjlopez at smartic.es> wrote:

> Good afternoon everyone
>
>
>
> I get a new query regarding a type of attack that our freeswitch servers
> receive constantly in case someone knows how to block them.
>
>
>
> These are INVITE or REGISTER requests in which the FROM: field arrives
> with the ip and port equal to the public interface of the server, so the
> different protection options that I have tried have not blocked these
> requests:
>
>
>
> - IpTables can not filter by the information From the INVITE message.
>
> - Fail2Ban is equally limited than IpTables.
>
> - ACLs have not resolved to filter these requests.
>
>
>
> Does anyone know any way to block these requests?
>
>
>
> I send here a trace with an INVITE message where you can see a request of
> this type.
>
>
>
> Thanks and best regards.
>
>
>
> U 2017/12/14 18:32:55.156886 185.107.94.121:11120 -> 182.30.1.194:5060
>
> INVITE sip:390239297988@ 182.30.1.194:5060;transport=UDP SIP/2.0.
>
> Via: SIP/2.0/UDP 122.221.117.131:5060;branch=z9hG4bK-524287-1---
> xi3qy2kz737ni404.
>
> Max-Forwards: 70.
>
> Contact: <sip:15714000000 <(571)%20400-0000>@122.221.117.
> 131:5060;transport=UDP>.
>
> To: <sip:390239297988@ 182.30.1.194;transport=UDP>.
>
> From: <sip:15714000000 <(571)%20400-0000>@ 182.30.1.194;transport=UDP>;
> tag=hlzg2jcv.
>
> Call-ID: KaQqH51mAcFv34qN8cGyv3...
>
> CSeq: 1 INVITE.
>
> Content-Type: application/sdp.
>
> User-Agent: Z 3.14.38765 rv2.8.3.
>
> Allow-Events: presence, kpml, talk.
>
> Content-Length: 0.
>
> .
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Libre
> de virus. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-638193062881438373_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20171218/3c6d09cf/attachment.html>