[Freeswitch-users] What kind of attack is this?

Mimiko vbvbrj at gmail.com
Mon Oct 14 18:28:16 MSD 2013


Hello.

recently I see ddos on one interface and FS module callcenter is working 
irregularly. tcpdump shows this:

17:17:42.410306 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 364)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
E..l.. at .0...2.%
MY.".....XW.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3646224729;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 360911671
Max-Forwards: 70


17:17:42.415504 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 365)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y,.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-1538287390;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3912185912
Max-Forwards: 70


17:17:42.420997 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 365)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y7.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3729326239;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 2188845586
Max-Forwards: 70


17:17:42.425886 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 365)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y3.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2208974380;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 4149361432
Max-Forwards: 70


17:17:42.431126 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 364)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
E..l.. at .0...2.%
MY.".....X..REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-725880732;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 1466795680
Max-Forwards: 70


17:17:42.436476 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 365)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 337
E..m.. at .0...2.%
MY.".....Y6.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-3259665948;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3328716097
Max-Forwards: 70


17:17:42.441541 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto 
UDP (17), length 364)
     50.30.37.10.5064 > A.B.C.D.5060: [udp sum ok] UDP, length 336
E..l.. at .0...2.%
MY.".....XT.REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 62.75.212.215:5064;branch=z9hG4bK-2487219966;rport
Content-Length: 0
From: "6796" <sip:6796 at A.B.C.D>
Accept: application/sdp
User-Agent: friendly-scanner
To: "6796" <sip:6796 at A.B.C.D>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 684380132
Max-Forwards: 70


In iptables I have this:
  1637  597K DROP       all  --  *      *       50.30.37.10 
0.0.0.0/0
     0     0 DROP       all  --  *      *       62.75.212.215 
0.0.0.0/0

So packets form that IP are not dropped. How is that? Does FS has a bag?

-- 
Mimiko desu.



Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list