[Freeswitch-users] DOS attack

jay binks jaybinks at gmail.com
Thu Mar 31 02:51:45 MSD 2011


then setup and run Fail2Ban
http://wiki.freeswitch.org/wiki/Fail2ban

and to help with the register flood you should look at using kristian's
SIP Dos script to put packet per sec limits on registers.

http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation

Jay


On Thu, Mar 31, 2011 at 8:46 AM, Michael Collins <msc at freeswitch.org> wrote:

> Sounds like the friend-scanner. Check this out:
> http://wiki.freeswitch.org/wiki/FS_weekly_2011_02_23#Featured_Presentation
>
> Of course, you should look into those packets to see what, exactly they
> are. Also, if you can block that IP address outright on your firewall that
> would be good, too.
>
> -MC
>
>
> On Wed, Mar 30, 2011 at 3:39 PM, Brian May <brian at microcomaustralia.com.au
> > wrote:
>
>> Hello,
>>
>> This morning, I got the following message:
>>
>> [241824.279299] Out of memory: kill process 20570 (freeswitch) score
>> 17388 or a child
>>
>> Since then I have plenty of memory.
>>
>> Since then I have noticed that I am receiving almost 400 packets a
>> second along the lines of:
>>
>> 2011-03-31 06:57:25.541284 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [224586792 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.543256 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.547261 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [224586792 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.559259 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.564311 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [224586792 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.574287 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.578259 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.587276 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [224586792 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.593266 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>> 2011-03-31 06:57:25.595256 [WARNING] sofia_reg.c:1246 SIP auth
>> challenge (REGISTER) on sofia profile 'internal' for
>> [3728015026 at 59.167.180.194] from ip 95.154.248.17
>>
>> These packets continue even though I stoped freeswitch:
>>
>> 09:38:30.132408 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 362
>> 09:38:30.132915 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 366
>> 09:38:30.137077 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 362
>> 09:38:30.138790 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 364
>> 09:38:30.142020 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 361
>> 09:38:30.144696 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 366
>> 09:38:30.147442 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 362
>> 09:38:30.150147 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 366
>> 09:38:30.153407 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 362
>> 09:38:30.155827 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 367
>> 09:38:30.159236 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 363
>> 09:38:30.161730 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 366
>> 09:38:30.165435 IP 95.154.248.17.5124 > 59.167.180.194.5060: SIP, length:
>> 363
>> 09:38:30.168153 IP 95.154.248.17.5115 > 59.167.180.194.5060: SIP, length:
>> 366
>>
>> I don't recognise this IP address - 95.154.248.17.
>>
>> Could this be related to the out of memory issue? If so, does this
>> indicate some sort of memory leak inside freeswitch? Or is this normal
>> expected behaviour when receiving so many connection attempts?
>>
>> Thanks
>> --
>> Brian May <brian at microcomaustralia.com.au>
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>


-- 
Sincerely

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20110331/0ae2912d/attachment.html 


More information about the FreeSWITCH-users mailing list