<div>Howdy</div><div><br></div><div> mmm I just had a quick look at mod_sofia , and unfortunatly it looks like the channel is hungup after the challenge is sent. But my guess is that there HAS To be a list or similar somewhere that tracks endpoints waiting for challenge responses.</div>
<div><br></div><div>Ill see if can track it down and submit a patch, because I too would like to see this at least logged.</div><div><br></div><div>as for rate-limiting responses you can have iptables drop packets over X number of invites per sec ... </div>
<div>( But they are dropped silently at the Firewall - Kristians SIP Ratelimiter has this in it ) </div><div><br></div><div>or you can use mod_limit to allow X number of invites per sec also, you would want to tell FS to hit the dialplan before codec negotiation though to do that nice and early in the piece.</div>
<div><br></div><div>Jay</div><div><br><div class="gmail_quote">On Mon, Feb 21, 2011 at 5:10 PM, Spencer Thomason <span dir="ltr"><<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Yes, that works great if they respond to the challenge with a failed<br>
auth. But the scenario I'm trying to prevent is if they just send the<br>
INVITE and never respond to the challenge. Fail2Ban will not work as<br>
every endpoint will initially send an INVITE and receive a challenge.<br>
Legit calls will then respond correctly and not be logged as a SIP<br>
auth failure but every call that is challenged will show up as SIP<br>
auth challenge in the logs so there is no regex to differentiate<br>
between legit an non legit traffic.<br>
<font color="#888888"><br>
Spencer<br>
</font><div><div></div><div class="h5"><br>
On Feb 20, 2011, at 10:39 PM, Ken Rice wrote:<br>
<br>
> Fail2Ban ... This is block an IP with too many failed attempts from<br>
> something like SipVicious pretty quickly<br>
><br>
><br>
> On 2/20/11 11:07 PM, "Spencer Thomason" <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>><br>
> wrote:<br>
><br>
>> Hi,<br>
>> We run hosted Freeswitch instances in VMs with the internal profile<br>
>> on<br>
>> port 5060 connecting to clients mostly behind NAT and then the<br>
>> external profile connecting to our proxies only. Protecting the<br>
>> external profile its straightforward.. we only allow traffic to/from<br>
>> our proxies at the firewall level. But protecting the internal<br>
>> profile seems to be a bit more difficult because the UACs could be<br>
>> theoretically anywhere on the network.<br>
>><br>
>> I'm currently using Fail2Ban to prevent brute force registration and<br>
>> INVITEs on auth failures, e.g.:<br>
>> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\)<br>
>> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br>
>> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\)<br>
>> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br>
>><br>
>> My question is, since its part of a normal SIP dialog to challenge<br>
>> the<br>
>> INVITE, is there any way to prevent a possible DoS from just sheer<br>
>> volume of incoming INVITEs on an Internet facing server<br>
>> automatically. I.e., If you block the logged challenge, you'd block<br>
>> all legitimate INVITEs and registrations. Since its UDP traffic I<br>
>> couldn't come up with a way to do it automatically at the iptables<br>
>> level. i.e. number of concurrent connections. Is there some option<br>
>> to<br>
>> just not respond if a client is sending a number of requests over a<br>
>> certain threshold? It might not stop them from sending the traffic<br>
>> but pretty soon they'd get the idea that it wasn't going to go<br>
>> anywhere. My concern is say there are 50 Freeswitch instances on a<br>
>> box (albeit 8 core, 32GB ram, 8 15K raid 10 storage) and someone<br>
>> starts sending thousands of rouge INVITEs to every VM on a physical<br>
>> box that the CPU load from just challenging the incoming INVITEs<br>
>> would<br>
>> create a DoS. We the logs regularly to try to catch people doing<br>
>> this<br>
>> sort of thing and drop them at a router upstream of the core network,<br>
>> but I'd like to have it happen without human intervention. Have I<br>
>> completely over thought this and am missing something obvious?<br>
>><br>
>> Thanks,<br>
>> Spencer<br>
>><br>
>><br>
>> _______________________________________________<br>
>> FreeSWITCH-users mailing list<br>
>> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
>> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
>> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
>> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> FreeSWITCH-users mailing list<br>
> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
><br>
<br>
<br>
_______________________________________________<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Sincerely<br><br>Jay<br>
</div>