<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Thanks for the info! Yes it would be great if Freeswitch logged this info somewhere but this firewall script was was I was trying to accomplish. :-) I was trying to do this with the minimal amount of overhead and I think that might be the ticket. The cool thing about having Freeswitch log it and then pick it up with Fail2ban would be that you could define the limit per user/IP. Say for instance you are using Freeswitch as an SBC and if the invite matches a user or an IP that is known, that limit could be much higher than an unknown IP or user. That would keep you from having to define a limit that is overly "safe" to prevent blocking real traffic especially if you are talking about a lot of traffic.<div><br></div><div>Thanks again,</div><div>Spencer</div><div><br><div><div><div>On Feb 20, 2011, at 11:22 PM, jay binks wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Howdy</div><div><br></div><div> mmm I just had a quick look at mod_sofia , and unfortunatly it looks like the channel is hungup after the challenge is sent. But my guess is that there HAS To be a list or similar somewhere that tracks endpoints waiting for challenge responses.</div> <div><br></div><div>Ill see if can track it down and submit a patch, because I too would like to see this at least logged.</div><div><br></div><div>as for rate-limiting responses you can have iptables drop packets over X number of invites per sec ... </div> <div>( But they are dropped silently at the Firewall - Kristians SIP Ratelimiter has this in it ) </div><div><br></div><div>or you can use mod_limit to allow X number of invites per sec also, you would want to tell FS to hit the dialplan before codec negotiation though to do that nice and early in the piece.</div> <div><br></div><div>Jay</div><div><br><div class="gmail_quote">On Mon, Feb 21, 2011 at 5:10 PM, Spencer Thomason <span dir="ltr"><<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Yes, that works great if they respond to the challenge with a failed<br> auth. But the scenario I'm trying to prevent is if they just send the<br> INVITE and never respond to the challenge. Fail2Ban will not work as<br> every endpoint will initially send an INVITE and receive a challenge.<br> Legit calls will then respond correctly and not be logged as a SIP<br> auth failure but every call that is challenged will show up as SIP<br> auth challenge in the logs so there is no regex to differentiate<br> between legit an non legit traffic.<br> <font color="#888888"><br> Spencer<br> </font><div><div></div><div class="h5"><br> On Feb 20, 2011, at 10:39 PM, Ken Rice wrote:<br> <br> > Fail2Ban ... This is block an IP with too many failed attempts from<br> > something like SipVicious pretty quickly<br> ><br> ><br> > On 2/20/11 11:07 PM, "Spencer Thomason" <<a href="mailto:spencer@5ninesolutions.com">spencer@5ninesolutions.com</a>><br> > wrote:<br> ><br> >> Hi,<br> >> We run hosted Freeswitch instances in VMs with the internal profile<br> >> on<br> >> port 5060 connecting to clients mostly behind NAT and then the<br> >> external profile connecting to our proxies only. Protecting the<br> >> external profile its straightforward.. we only allow traffic to/from<br> >> our proxies at the firewall level. But protecting the internal<br> >> profile seems to be a bit more difficult because the UACs could be<br> >> theoretically anywhere on the network.<br> >><br> >> I'm currently using Fail2Ban to prevent brute force registration and<br> >> INVITEs on auth failures, e.g.:<br> >> failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\)<br> >> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br> >> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\)<br> >> on sofia profile \'\w+\' for \[.*\] from ip <HOST><br> >><br> >> My question is, since its part of a normal SIP dialog to challenge<br> >> the<br> >> INVITE, is there any way to prevent a possible DoS from just sheer<br> >> volume of incoming INVITEs on an Internet facing server<br> >> automatically. I.e., If you block the logged challenge, you'd block<br> >> all legitimate INVITEs and registrations. Since its UDP traffic I<br> >> couldn't come up with a way to do it automatically at the iptables<br> >> level. i.e. number of concurrent connections. Is there some option<br> >> to<br> >> just not respond if a client is sending a number of requests over a<br> >> certain threshold? It might not stop them from sending the traffic<br> >> but pretty soon they'd get the idea that it wasn't going to go<br> >> anywhere. My concern is say there are 50 Freeswitch instances on a<br> >> box (albeit 8 core, 32GB ram, 8 15K raid 10 storage) and someone<br> >> starts sending thousands of rouge INVITEs to every VM on a physical<br> >> box that the CPU load from just challenging the incoming INVITEs<br> >> would<br> >> create a DoS. We the logs regularly to try to catch people doing<br> >> this<br> >> sort of thing and drop them at a router upstream of the core network,<br> >> but I'd like to have it happen without human intervention. Have I<br> >> completely over thought this and am missing something obvious?<br> >><br> >> Thanks,<br> >> Spencer<br> >><br> >><br> >> _______________________________________________<br> >> FreeSWITCH-users mailing list<br> >> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br> >> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br> >> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br> >> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br> ><br> ><br> ><br> > _______________________________________________<br> > FreeSWITCH-users mailing list<br> > <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br> > <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br> > UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br> > <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br> ><br> <br> <br> _______________________________________________<br> FreeSWITCH-users mailing list<br> <a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br> <a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br> UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br> <a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br> </div></div></blockquote></div><br><br clear="all"><br>-- <br>Sincerely<br><br>Jay<br> </div></blockquote></div><br></div></div></body></html>