Long time listener, first time poster. ;) Actually just came back to Gainesville and am trying to get more active in the community. Anyway... there's been a tremendous amount of ddos/sip flood attacks from Amazon EC2 space over the last few days with an extremely disappointing response from Amazon. The overview is posted on VoIP Tech Chat at:

http://www.voiptechchat.com/voip/457/amazon-ec2-sip-brute-force-attacks-on-rise/

There's been a bunch of different discussions on ways to combat the attacks, including redirecting the attacks to a different port (and responding with a fake message), iptables, fail2ban, etc.

The redirect had mixed results... and I didn't want the fail2ban, so I put up a little perl script for automatically blocking the traffic via a dedicated iptables chain. The script is posted on Team Forrest:

http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/

If you have any other thoughts, that would be great... Generally I like to block on the router, or dedicated filtering system... Some people have discussed writing code for Asterisk, OpenSER, FreeSWITCH, etc. to handle this within the software. Personally, I don't like that method for 2 reasons (but of course, can always change my mind with a good argument). My thoughts are... (1) It's not the linux way... ie get a separate program to do it and do it very well... and (2) I want the traffic blocked before it reaches the Asterisk (or other SIP) process.

Anyway... glad to be back in town.

---fred
http://qxork.com